Statamic 4.7.0 - File-Inclusion

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2023-07-19 
## Title: Statamic 4.7.0 - File-Inclusion
## Author: nu11secur1ty
## Date: 07.13.2023
## Vendor: https://statamic.com/
## Software: https://demo.statamic.com/
## Reference: https://portswigger.net/web-security/file-upload


## Description:
The statamic-4.7.0 suffers from file inclusion - file upload vulnerability.
The attacker can upload a malicious HTML file and can share the
malicious URL which uses the infected HTML file
to the other attackers in the network, they easily can look at the
token session key and can do very dangerous stuff.


## Staus: HIGH Vulnerability

[+]Exploit:

```js
<html>
<script>
alert(document.cookie);
</script>
</html>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html)

## Time spend:
01:10:00


Statamic 4.7.0 File-Inclusion Vulnerability: A Deep Dive into Exploitation and Mitigation

On July 13, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in Statamic 4.7.0, a popular headless CMS used by developers for building dynamic websites. The flaw, categorized as a high-severity file inclusion vulnerability, stems from improper sanitization of uploaded files, enabling attackers to execute arbitrary client-side code through malicious HTML uploads.

Understanding the Vulnerability: File-Inclusion via Unsanitized Uploads

Statamic’s file upload functionality allows users to upload assets such as images, documents, and HTML files. In version 4.7.0, the system fails to properly validate or sanitize the content of uploaded HTML files. This oversight creates a direct path for attackers to upload a malicious script disguised as a legitimate file.

When the uploaded file is served via a public URL (e.g., https://demo.statamic.com/uploads/malicious.html), the browser interprets it as a standard HTML document—without any restrictions. This means the embedded JavaScript code executes in the context of the user’s session, granting full access to sensitive data.

Exploit Demonstration: Session Token Theft via JavaScript



    
        alert(document.cookie);

This simple yet powerful exploit demonstrates how an attacker can extract session cookies—often containing authentication tokens—directly from the victim’s browser. By sharing the malicious URL with unsuspecting users, the attacker can harvest session keys without requiring direct interaction.

Why this is dangerous: Session tokens are often used to maintain authenticated user sessions. Once stolen, an attacker can impersonate the user, gain access to private content, perform actions on their behalf (e.g., changing passwords, editing content), or escalate privileges within the application.

Attack Vector and Real-World Impact

Attackers can leverage this vulnerability through multiple vectors:

  • Phishing: Sending a malicious URL via email, social media, or messaging platforms.
  • Malicious Content Hosting: Uploading the file to a public-facing asset library and linking it in forums or comment sections.
  • Supply Chain Compromise: If a third-party contributor uploads the file, it can spread across multiple sites using the same Statamic instance.

Because Statamic is widely used in enterprise and personal websites, the impact of this flaw is significant. A single compromised upload could lead to widespread session theft across multiple domains.

Root Cause Analysis

The vulnerability arises due to:

  • Missing content-type validation during file uploads.
  • Failure to sanitize HTML/JS content before serving it to clients.
  • Default behavior of serving static files without context-aware filtering.

While Statamic’s design emphasizes simplicity and developer-friendly workflows, this particular version lacks adequate security checks for uploaded content—especially for HTML-based assets.

Recommended Mitigation and Best Practices

Developers and administrators must implement the following security measures to prevent exploitation:

Security Measure Description
Content-Type Enforcement Restrict uploads to only approved file types (e.g., .jpg, .png, .pdf) and reject .html or .js files.
Server-Side Sanitization Use tools like DOMPurify or similar libraries to sanitize HTML content before serving.
Content Security Policy (CSP) Implement strict CSP headers to block inline scripts and restrict script sources.
File Serving via Proxy Never serve uploaded files directly. Instead, use a proxy endpoint that validates content and strips dangerous elements.

Additionally, administrators should:

  • Regularly audit uploaded files and monitor for suspicious patterns.
  • Disable HTML file uploads unless absolutely necessary.
  • Upgrade to the latest version of Statamic (4.7.1+), which includes security patches addressing this issue.

Conclusion: A Reminder of Developer Responsibility

The Statamic 4.7.0 file-inclusion vulnerability serves as a stark reminder that even well-designed software can harbor critical flaws when security is overlooked in favor of usability. Developers must balance ease of use with robust security controls—especially when handling user-generated content.

As cyberattacks evolve, vulnerabilities like this one highlight the importance of proactive security auditing, responsible file handling, and defense-in-depth strategies. Organizations using Statamic or similar platforms should treat this issue as a critical alert and act immediately to secure their environments.