CVE-2021-40097
📋 TL;DR
This vulnerability allows authenticated attackers in Concrete CMS to perform path traversal attacks, leading to remote code execution by uploading PHP files. It affects all Concrete CMS installations through version 8.5.5 where authenticated users can access the vulnerable functionality.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, potentially leading to data theft, lateral movement, and persistent backdoors.
Likely Case
Authenticated attackers upload malicious PHP files to execute arbitrary code, potentially compromising the CMS installation and underlying server.
If Mitigated
Attackers can only traverse directories but cannot execute code due to proper file upload restrictions and server hardening.
🎯 Exploit Status
Exploit requires authenticated access. The HackerOne report provides technical details and exploitation methodology.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.5.6 and later
Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Download Concrete CMS version 8.5.6 or later from the official website. 3. Replace all files with the new version while preserving your configuration files. 4. Clear the cache from the dashboard. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict File Uploads
allConfigure web server to block PHP file uploads and execution in upload directories
# For Apache: Add to .htaccess in upload directories
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
deny all;
return 403;
}
Disable Vulnerable Functionality
allTemporarily disable file upload functionality for authenticated users
# Modify Concrete CMS configuration or use admin panel to restrict upload permissions
🧯 If You Can't Patch
- Implement strict web application firewall rules to block path traversal patterns in requests
- Restrict authenticated user permissions to prevent access to file upload functionality
🔍 How to Verify
Check if Vulnerable:
Check Concrete CMS version in admin dashboard or by examining the concrete/config/concrete.php file version constantCheck Version:
grep "define('APP_VERSION'" concrete/config/concrete.phpVerify Fix Applied:
Verify version is 8.5.6 or higher and test that path traversal attempts with bFilename parameter are properly blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file upload attempts with path traversal patterns in bFilename parameter
- PHP file uploads to non-standard directories
- Multiple failed authentication attempts followed by file upload requests
Network Indicators:
- HTTP POST requests containing '../' patterns in parameters
- Upload requests to unexpected file paths
SIEM Query:
source="web_logs" AND (bFilename="*../*" OR uri="*/concrete/*/upload*" AND status=200)