GHSA-86vw-x4ww-x467
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
상세
The `actionRenderCardPreview()` method in `FieldsController` passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This allows Yii2 event handler injection via `on eventName` keys in the config array, leading to arbitrary code execution.
This is the same vulnerability pattern that was fixed in GHSA-4484-8v2f-5748 (same file, `_fldComponent` method correctly uses `cleanseConfig`), GHSA-qx2q-q59v-wf3j (EntryTypesController), and GHSA-2fph-6v5w-89hh (ElementIndexesController).
## PoC
As an admin user with a valid session:
``` POST /admin/actions/fields/render-card-preview HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: CraftSessionId=<session>
fieldLayoutConfig[on+init]=phpinfo&CRAFT_CSRF_TOKEN=<token> ```
When the FieldLayout object is constructed, Yii2 processes the `on init` key as an event handler registration. During `Component::init()`, the `init` event is triggered, calling `phpinfo()`. The phpinfo output (which includes environment variables, potentially containing database credentials and `CRAFT_SECURITY_KEY`) will appear in the response.
## Impact
An authenticated admin can achieve RCE through Yii2 event handler injection. While this requires admin access (same as GHSA-4484-8v2f-5748, which was rated moderate), it allows arbitrary PHP function execution and information disclosure via phpinfo.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.