Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability Allowing Full Server Takeover Found in Concrete5 CMS

A remote code execution (RCE) vulnerability addressed recently in Concrete5 exposed numerous websites to attacks, Edgescan reports.

A point and click, open-source content management system, Concrete5 allows users create websites at ease and is used by many high-profile entities worldwide, including BASF, GlobalSign, REC, the U.S. Army, and more.

A remote code execution (RCE) vulnerability addressed recently in Concrete5 exposed numerous websites to attacks, Edgescan reports.

A point and click, open-source content management system, Concrete5 allows users create websites at ease and is used by many high-profile entities worldwide, including BASF, GlobalSign, REC, the U.S. Army, and more.

The CMS has been designed with ease-of-use in mind, and allows users to edit content directly from the page, without requiring advanced technical skills.

What Edgescan discovered was an RCE flaw in Concrete5 that could have allowed an attacker to inject a reverse shell into vulnerable web servers, thus taking full control of them.

The issue was identified in Concrete5 version 8.5.2, which essentially allowed an attacker to modify site configuration and upload a PHP file onto the server, thus gaining arbitrary command execution capabilities.

Although PHP, HTML and other dangerous file extensions are not typically allowed, the issue could have been exploited “to include PHP extension in the legal file list and then upload the file,” Edgescan says.

To mount an attack, an adversary would need administrative permissions to access the ‘Allow File types’ feature and include the PHP file type in the list of allowed extensions.

Once that has been achieved, however, the attacker can upload potentially malicious code onto the server and then execute arbitrary commands. Information on how to reproduce the attack has been disclosed on HackerOne.

By exploiting the vulnerability, Edgescan says, an attacker “would be able to take full control over the web server (system). By executing arbitrary commands on the server, an attacker could compromise the integrity, availability and confidentiality. And pivot onto other servers on the internal network.”

The issue was reported via the HackerOne platform in early January 2020, but a fix wasn’t released for six months. Users running the latest stable release (Concrete5 version 8.5.4) are protected from the vulnerability.

“Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date,” Edgescan points out.

Related: Over 30 Vulnerabilities Discovered Across 20 CMS Products

Related: WordPress Malware Targets WooCommerce Stores

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.