The content management system, Concrete5 CMS, contains a major vulnerability which has now been addressed in an updated version, according to an analysis published today by Edgescan.
Edgescan senior information security consultant, Guram Javakhishvili, revealed that Concrete5 has a Remote Code Evaluation (RCE), a known security weakness which if exploited, “can lead to a full compromise of the susceptible web application and also the web server that it is hosted on.”
Concrete5 is a free CMS system that creates websites and is renowned for its ease of use. It is used by major organizations including GlobalSign, the US Army, REC and BASF.
Javakhishvili said that the RCE vulnerability is simple to exploit and quickly enables the user to gain full access to the application. During an assessment of the program, Edgescan discovered it was possible to modify site configuration to upload the PHP file and execute arbitrary commands. Once added, potentially malicious PHP code can be uploaded and system commands executed.
By the ‘reverse shell’ mechanism, the attacker can then take full control over the web server. Through executing arbitrary commands on the server, the integrity, availability and confidentiality of it can be compromised. Additionally, moves can then be made to attack other servers on the internal network.
Javakhishvili added that the weakness has now been addressed by Concrete5 following the investigation, and the stable fixed release is out, version: 8.5.4.
Eoin Keary, CEO of Edgescan, commented: “A RCE can lead to a full compromise of the vulnerable web application and also web server. Nearly 2% of vulnerabilities across the fullstack were attributed to RCE in the Edgescan 2020 Vulnerability Stats Report. At Edgescan, we’re proud of the part we play in identifying vulnerabilities in web apps, alerting vendors and supporting them in making their products as secure as possible.”
The investigation serves as a reminder for organizations to take regular action to ensure their CMS systems are secure. Steps advised by Edgescan include keeping installed scripts and CMS platforms up-to-date, regular backups and subscribing to a regularly-updated list of vulnerabilities for the specific CMS being used.