VDB
EN
HIGH

GHSA-86vw-x4ww-x467

Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview

상세

The `actionRenderCardPreview()` method in `FieldsController` passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This allows Yii2 event handler injection via `on eventName` keys in the config array, leading to arbitrary code execution.

This is the same vulnerability pattern that was fixed in GHSA-4484-8v2f-5748 (same file, `_fldComponent` method correctly uses `cleanseConfig`), GHSA-qx2q-q59v-wf3j (EntryTypesController), and GHSA-2fph-6v5w-89hh (ElementIndexesController).

## PoC

As an admin user with a valid session:

``` POST /admin/actions/fields/render-card-preview HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: CraftSessionId=<session>

fieldLayoutConfig[on+init]=phpinfo&CRAFT_CSRF_TOKEN=<token> ```

When the FieldLayout object is constructed, Yii2 processes the `on init` key as an event handler registration. During `Component::init()`, the `init` event is triggered, calling `phpinfo()`. The phpinfo output (which includes environment variables, potentially containing database credentials and `CRAFT_SECURITY_KEY`) will appear in the response.

## Impact

An authenticated admin can achieve RCE through Yii2 event handler injection. While this requires admin access (same as GHSA-4484-8v2f-5748, which was rated moderate), it allows arbitrary PHP function execution and information disclosure via phpinfo.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / craftcms/cms
최초 영향 버전: 5.5.0 수정 버전: 5.9.14
수정 composer require craftcms/cms:^5.9.14

참고