RCE via Read Collections Function

[serWazito0]

Hi Cockpit Team,

I found that i Can Execute get RCE via php code injection at read rules. This attack can be executed with authentication and without authentication

Steps [auth]

1. Go to dashboard then Click on Create Collection

   

2. enter any dummy data

3. at the permission part enable the read rule and modify it with the php payload.

   

4. Go to the Collections

   

5. Click On the Created Collection

   

6. pass a value to the missing parameter

Note That the file Created At storage/collections/rules

[without auth] You Can Access it without authentication at /storage/collections/rules/RCE.read.php?cmd=id

[aheinze]

Yes, you can write php code, and this should only be done by admins. You should only give admins the right to create|edit collections.I'll try to find a solution for the direct un-authenticated access

[serWazito0]

BTW how can u let the admin execute a PHP code !! if I add this CMS to my website then I gave an admin access to someone he can easily access my server, files, etc.... !!

[aheinze]

Why would you give someone admin rights whom you don't trust? he can also delete your account then and take over the cms etc. Just don't give anyone admin rights 🤷‍♂️

[serWazito0]

I'm not talking as my side it's an example. Sometimes The Website owner doesn't change the default Credentials for the CMS, so if the attacker tries it he will log in as admin then execute the PHP code. 🤷‍♂️🤷‍♂️

[serWazito0]

Can u just explain to me why u allow the admin to execute PHP code?

[aheinze]

This meant for configuring complex content access rules (see comment: https://github.com/agentejo/cockpit/issues/675#issuecomment-367120881)