Overview #

Multiple Remote Code Execution (RCE) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server.

Vulnerability Details #

Affected Versions: 0.13.0 and earlier

Location: Multiple endpoints including /accounts/save, /auth/check, /api/galleries/findOne, /api/collections/findOne

Affected Parameters: account._id, auth[user], filter._id

Root Cause: The vulnerability exists due to improper handling of user input in JSON parameters, allowing PHP code evaluation.

Exploitation Requirements #

• No authentication required for some vectors
• Direct access to vulnerable endpoints

Impact #

Remote attackers can exploit these vulnerabilities to:

• Execute arbitrary PHP code on the server
• Gain complete control of the CMS
• Access sensitive files and databases
• Pivot to internal network resources

Proof of Concept #

POST /cockpit-0.13.0/accounts/save HTTP/1.1
Host: target.com
Content-Type: application/json

{"account":{"_id":"'+print(int)0xFFF9999-22+'"}}

POST /cockpit-0.13.0/auth/check HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

auth[user]='+print(int)0xFFF9999-22+'

Solution #

Upgrade to a patched version of Cockpit CMS that includes proper input sanitization.

References #

• Invicti Advisory NS-16-016