Improper regex in htaccess file

Root

Cause CVE-2022-25769 affects Mautic, an open-source marketing automation platform. The vulnerability lies in the default .htaccess file, which is intended to restrict execution of PHP files in the application's root directory to only a specific set of allowed files. However, the regex used in the second FilesMatch directive only checks the filename component of the request, not the full path. This oversight means that requests containing directory traversal or other path manipulation can bypass the intended restriction [1].

Exploitation

An attacker can exploit this by crafting a request that, for example, includes a path segment that resolves to a disallowed PHP file but whose filename matches the allowed regex pattern. Since the regex only inspects the filename, such a request would not be blocked. The attack requires no authentication and can be performed over the network, as the .htaccess rules are evaluated before any application-level authentication [1].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP files in the root directory of the Mautic application that should not be directly accessible. This could lead to information disclosure, code execution, or further compromise of the application and its underlying server, depending on the capabilities of the executed PHP file [1].

Mitigation

The vulnerability is fixed in Mautic versions 3.3.5 and 4.2.0. Users should upgrade to these versions or later. No workaround is available for earlier releases. The issue is tracked internally as MST-32 [1].