CVE-2018-8972

Vulnerability

CWCMS (Creditwest Bank CMS Project) through version 2017-07-28 suffers from a Cross-Site Request Forgery (CSRF) vulnerability in the site configuration update functionality. The lack of CSRF tokens or other anti-forgery measures allows an attacker to craft a malicious request that, when executed by an authenticated administrator, modifies the site configuration. This can be exploited to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters [1].

Exploitation

An attacker needs to trick an authenticated administrator into visiting a malicious page or clicking a crafted link while logged into the CWCMS backend. The attacker crafts a request that modifies the site configuration, for example by including PHP code in a configuration field. Since the request is made from the administrator's browser with their session cookies, the server processes it as legitimate. The attacker does not need any prior authentication or network position beyond being able to deliver the CSRF payload.

Impact

Successful exploitation allows the attacker to inject arbitrary PHP code into the site configuration. This can lead to remote code execution (RCE) on the server, as the injected code can be executed when the configuration is processed. The attacker gains full control over the web application and potentially the underlying server, depending on the permissions of the web server process.

Mitigation

No official fix has been released as of the publication date (2018-03-24). The project appears to be unmaintained. Users should consider implementing CSRF protection manually, such as adding anti-CSRF tokens to the configuration update form, or migrating to an alternative CMS. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.