Security researchers Alvaro Munoz of GitHub and Oleksandr Mirosh of Micro Focus Fortify discovered over 30 security vulnerabilities in 20 content management systems (CMS), including Microsoft SharePoint, Alfresco, and Atlassian Confluence. Munoz and Mirosh presented their findings at the Black Hat cybersecurity conference and demonstrated how a threat actor can escape template sandboxes and get access to the Remote Code Execution (RCE). They also analyzed security controls executed by several CMS frameworks and techniques to bypass them.
A CMS is a software application used to manage the creation and modification of online content, mostly used for enterprise content management (ECM) and web content management (WCM). According to the researchers, content in the CMS platform is stored in a database and displayed to users based on a set of templates. These templates support a subset of programming language capabilities and are sandboxed to prevent users from any intrusions.
Using a Microsoft SharePoint server as a main CMS attack surface, the researchers found six unique RCE vulnerabilities by combining flaws in its implementation and design. They also reviewed certain popular Java Template engines like Apache Velocity, Apache FreeMarker, Pebble, and JinJava and discovered multiple ways to escape template sandboxes and achieve RCE in many products including, Atlassian Confluence, dotCMS, Alfresco, Liferay, Crafter CMS, XWiki, and Apache OfBiz.
“In the most simple attack scenario, the attacker has access to the target CMS applications such as regular Sharepoint users being able to create their own sites and therefore being able to provide their own templates. In some cases, we were able to get trial accounts on cloud-based CMS platforms and perform the attacks from our own trial admin account. These were the most interesting cases since we were able to compromise the underlying infrastructure which could have allowed us to initiate attacks against other tenants. No matter what the vector used, though, the impact is always critical since once the mitigations are bypassed, template engines can be used to evaluate arbitrary code leading to Remote Code Execution (RCE),” the researchers said.