Improper Access Control in mautic/mautic

Valid

Reported on

Feb 3rd 2022


Description

I couldn't find a suitable vulnerability type for this kind of issue, so this may be incorrect

the default .htaccess file has some restrictions in the access to PHP files.

    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Order deny,allow
        Deny from all
    </FilesMatch>

    ...

    # Except those whitelisted bellow.
    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
        Order allow,deny
    </FilesMatch>

The intention seems to be to only allow specific PHP files to be executed in the root of the application (hence the ^ in the beginning).

This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.
So this actually allows you to execute any php file in the docroot named index.php, index_dev.php, filemanager.php or upgrade.php

Following files are present:

./app/assets/scaffold/files/index.php
./index.php
./vendor/sparkpost/sparkpost/examples/debug/index.php
./vendor/rector/rector/vendor/symfony/http-client-contracts/Test/Fixtures/web/index.php
./vendor/symfony/http-client-contracts/Test/Fixtures/web/index.php
./vendor/mrclay/minify/min_unit_tests/HTTP_Encoder/index.php
./vendor/mrclay/minify/min_unit_tests/HTTP_ConditionalGet/index.php
./vendor/mrclay/minify/min/index.php
./vendor/mrclay/minify/min/builder/index.php

./index_dev.php
./app/assets/scaffold/files/index_dev.php

./app/assets/scaffold/files/upgrade.php
./upgrade.php

Proof of Concept

execute following script on a vanilla Mautic 4.1.2

curl http://mautic.local/vendor/symfony/http-client-contracts/Test/Fixtures/web/index.php
curl http://mautic.local/vendor/mrclay/minify/min/index.php?f=media/css/libraries.css

Impact

Any PHP file in the docroot named index.php, index_dev.php, filemanager.php or upgrade.php can be executed. Depending on the Mautic version or extra dependencies in vendor, this may allow execution of scrips.

A vanilla Mautic 4.1.2 has some files that are actually executable (see PoC), other versions may contain way more impactful files in te application or dependencies of the application.

We are processing your report and will contact the mautic team within 24 hours. 4 months ago
mollux submitted a
4 months ago
Ruth Cheesley
4 months ago

Maintainer


Thanks for the report, we'll review and get back to you. Tracking under MST-32.

We have contacted a member of the mautic team and are waiting to hear back 4 months ago
We have sent a follow up to the mautic team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the mautic team. We will try again in 10 days. 3 months ago
Ruth Cheesley validated this vulnerability 3 months ago
mollux has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the mautic team. We will try again in 7 days. 3 months ago
Ruth Cheesley
3 months ago

Maintainer


I think that this should actually be https://cwe.mitre.org/data/definitions/284.html

mollux
3 months ago

Maintainer


correct, I could't choose that one, as there was already another one I filed with the sae type

Ruth Cheesley confirmed that a fix has been merged on cd998b 3 months ago
mollux has been awarded the fix bounty
.htaccess#L133 has been validated
.htaccess#L113 has been validated
Jamie Slome
3 months ago

Admin


Switched from CWE-840 to CWE-284 👍

to join this conversation