VDB
EN
MEDIUM

GHSA-43cq-c2gq-pfpw

Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check

상세

### Summary

The `EntriesController::actionMoveToSection()` endpoint checks only whether the current user can view the destination section, but it does not require permission to save entries into that section. A low-privileged authenticated control-panel user who can move an entry out of its current section can therefore move that entry into a different section where they have read access but no write access.

### Details

The vulnerable route is implemented in [EntriesController.php](/D:/files/projects/cms-5.9.19/cms-5.9.19/src/controllers/EntriesController.php):465:

The destination check is only `viewEntries:$section->uid` . The source-entry gate is `Entry::canMove()`, which verifies whether the user can move the existing entry based on the source section:

This closes the exploit chain:

1. External source: authenticated CP request to `entries/move-to-section`. 2. Missing authorization check: destination section requires only `viewEntries`, not `saveEntries`. 3. Privileged sink: `moveEntryToSection()` rewrites `sectionId` and saves the entry into the unauthorized section.

Preconditions derived from the code:

1. The attacker is authenticated to the control panel. 2. Entry `345` is movable by the attacker from its current section. 3. The attacker can satisfy `viewEntries` on destination section `12`. 4. The attacker does not have `saveEntries:DESTINATION_UID`, which is the missing check that makes the bypass possible.

Result:

1. The controller accepts the request because `viewEntries:$section->uid` passes. 2. Each source entry passes `canMove()` based on source-section permissions. 3. `moveEntryToSection()` updates the entry’s `sectionId` and saves it. 4. The entry is now located in a section where the attacker did not have write permission.

### Impact

This breaks the intended section-level authorization model. A user with limited content permissions can inject or relocate content into a protected section, interfering with editorial boundaries, approval workflows, section-specific business logic, and content ownership expectations.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / craftcms/cms
최초 영향 버전: 5.0.0-RC1 수정 버전: 5.9.21
수정 composer require craftcms/cms:^5.9.21

참고