Skip to content

MAGNOLIA-8348: FreeMarker Restriction Bypass 3 in Magnolia CMS

Notifications You must be signed in to change notification settings

mbadanoiu/MAGNOLIA-8348

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

MAGNOLIA-8348: FreeMarker Restriction Bypass 3 in Magnolia CMS

An issue in the FreeMarker Filter of Magnolia CMS v6.2.17 and below allows attackers to bypass security restrictions and execute arbitrary code, read/write/move/copy/delete arbitrary files or launch DoS attacks via a crafted FreeMarker payload. Arbitrary code execution was successfully achieved via writing arbitrary JSP files.

Collaboration:

This vulnerability was found in collaboration with Marian-Razvan Ilisanu.

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Why no CVE?

Neither me nor the vendor requested a CVE for these vulnerabilities.

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Additional Resources:

The "servletContenxt" SSTI gadget that results in the execution of arbitrary system commands was insired by this advisory

The H2 "INIT=RUNSCRIPT" payload was taken from this blog post

The JSP code used to execute arbitrary system commands can be found here