Dromara Lamp-Cloud Message Template Handler Stored Injection Vulnerability Leading to Remote Code Execution

A stored injection vulnerability allowing remote code execution has been identified in Dromara lamp-cloud versions through 5.6.2. The issue arises in the Message Template Handler, specifically within the GroovyClassLoader.parseClass function. The vulnerability is triggered by manipulating the DefMsgTemplate.content argument, leading to improper neutralization of special elements used in template processing. This flaw allows for the injection of arbitrary code that is executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Dromara lamp-cloud is running.

Reproduction

The vulnerability can be reproduced by an admin user who posts a message template via the DefMsgTemplateController. The 'content' field can be populated with FreeMarker syntax that exploits the template engine's static model access, potentially leading to code execution. Alternatively, Groovy code can be injected through the 'script' field, which is evaluated without any sandboxing, allowing for direct execution of the injected code.

Remediation

To address this vulnerability, Dromara lamp-cloud should implement a Groovy sandbox by using the GroovyClassLoader with a CompilerConfiguration that restricts dangerous operations. Additionally, script content should be validated against approved patterns to prevent arbitrary code execution. FreeMarker templates should be hardened by setting the built-in class resolver to a safer configuration and removing static model access. It is also recommended to require elevated permissions for fields that contain scripts and to sanitize template content to prevent code injection.