Sanluan PublicCMS Server-Side Template Injection Vulnerability in TemplateResult API Allows Authorization Bypass and Sensitive Information Disclosure

A server-side template injection vulnerability has been identified in Sanluan PublicCMS version 5.202506.d. The issue arises in the TemplateResult API, specifically within the execute function of the TemplateResultDirective class. This vulnerability allows authenticated users with low-privilege app tokens to bypass authorization checks and access sensitive server information. The flaw is caused by the direct evaluation of user-controlled template content in the FreeMarker template engine, without proper authorization enforcement. Exploitation is possible by embedding calls to internal directives that disclose server properties or disk information.

Impact

Exploitation of this vulnerability allows low-privilege authenticated users to bypass API authorization checks and access internal directives, leading to the disclosure of sensitive server information such as the working directory, Java version, operating system, site root path, and disk capacity details. The impact could potentially extend beyond information disclosure, depending on the available directives or shared objects.

Reproduction

To reproduce this vulnerability, an authenticated user with a low-privilege app token must send a request to the '/api/directive/tools/templateResult' endpoint. The request must include a 'templateContent' parameter that embeds calls to internal directives, such as 'tools.systemProperties' or 'tools.disk'. The injected directive calls will be executed with the same privileges as the original token, bypassing authorization restrictions and accessing sensitive server information.

Remediation

To address this vulnerability, do not evaluate externally supplied templates using the full web FreeMarker configuration. Instead, use a dedicated sandboxed FreeMarker configuration for the 'templateResult' API, removing or strictly allowing shared variables. Implement a strict 'TemplateClassResolver' to disable access to internal directives and methods from user-controlled templates. Additionally, ensure that authorization checks are enforced in the template execution path, similar to the existing HTTP-layer checks. If 'templateResult' is meant for internal use only, disable it by default for external integrations or limit it to trusted administrative contexts.