Web admins urged to apply patches now

Server-side vulnerabilities in Concrete CMS puts thousands of websites under threat

Multiple security vulnerabilities in a popular open source content management system (CMS) could allow a malicious attacker to gain full control of the underlying web server.

The issues were discovered in Concrete CMS by researchers from Fortbridge, who detailed how two race condition vulnerabilities combined with the insecure use of the uniqid() function could allow an attacker with low privileges to achieve remote code execution (RCE).

Adrian Tiron from Fortbridge told The Daily Swig that the uniqid() function was not cryptographically secure. Instead, it returned a pseudo-random number, “allowing us to guess the name of a pseudo-random directory and then upload a web shell on the server”.

As of this year, there are more than 62,000 live website that are built with Concrete CMS, the researchers said.

Various flaws

The first vulnerability is a race condition in the file upload function that allows a Concrete CMS user to upload files from a remote server.

Files are downloaded to ‘$temporaryDirectory’ – a class called VolatileDirectory which creates a temporary directory, that gets deleted at the end of each request.

Researchers said that the name of the directory created will always be random, and so in order to guess the name of it, they needed to brute-force this directory to find where it was coming from.

Read more of the latest security vulnerability news

A single brute-force request takes 100ms to execute, meaning that researchers needed time to carry out their attack.

As they looked to circumvent the 60-second cURL timeout, they turned to the uniqid() function, which returned the time and day to the microsecond.

The blog reads: “[W]e will add a sleep() for 30-60 seconds in the test.php file which gets downloaded from the remote server.

“This will basically force the CMS to keep the $temporaryDir directory for 30-60 seconds on the local filesystem before deleting it. Enough time for us to brute-force the directory name with Burp Turbo Intruder.”

Once they had the name of the directory, researchers were able to request test.php, which writes a permanent shell in the parent directory.

By making test.php execute for ~30 seconds to guess the directory name, a second race condition was created, meaning that test.php will be written on the CMS filesystem.

This then allowed them to achieve RCE on the server.

Patch now

Speaking to The Daily Swig, Tiron advised Concrete CMS users to upgrade to versions 8.5.7 and 9.0.1, which are already available.

He added: “The disclosure process was very smooth, and we didn’t encounter any issues, the Concrete CMS team was very friendly and cooperative.”

RECOMMENDED HTTP header smuggling attack against AWS API Gateway exposes systems to cache poisoning