CVE-2022-30117
📋 TL;DR
This vulnerability in Concrete CMS allows authenticated attackers to perform directory traversal via the file upload endpoint, potentially leading to arbitrary file deletion. It affects Concrete CMS versions 8.5.7 and below, and versions 9.0 through 9.0.2. The exploit requires authenticated access but can result in denial of service or system compromise.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could delete critical system files, causing complete system unavailability, data loss, or potential privilege escalation by removing security controls.
Likely Case
Authenticated users with malicious intent could delete application files, causing service disruption, data loss, or defacement of the CMS installation.
If Mitigated
With proper access controls and file system permissions, impact would be limited to files accessible by the web server user, potentially causing application errors but not system compromise.
🎯 Exploit Status
Exploit details are publicly available on HackerOne. The vulnerability requires authenticated access but exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.5.8 for Concrete 8.x, 9.0.3 for Concrete 9.x
Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS 8.5.8 if using 8.x series. 3. Update to Concrete CMS 9.0.3 if using 9.x series. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict access to upload endpoint
allTemporarily restrict access to the vulnerable endpoint using web server configuration or application firewall rules.
# Apache: RewriteRule ^/index\.php/ccm/system/file/upload - [F]
# Nginx: location ~ ^/index\.php/ccm/system/file/upload { return 403; }
Implement file permission restrictions
allSet strict file system permissions to limit what files the web server user can delete.
# Linux: chmod 755 /path/to/concretecms
# Windows: Use ACLs to restrict web server user permissions
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access the file upload functionality.
- Deploy a web application firewall (WAF) with rules to detect and block directory traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Check your Concrete CMS version. If it's 8.5.7 or below, or between 9.0 and 9.0.2, you are vulnerable.Check Version:
# Check Concrete CMS version via command line: grep -r "APP_VERSION" /path/to/concretecms/concrete/config/app.php | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+"Verify Fix Applied:
After updating, verify the version is 8.5.8 or higher for 8.x series, or 9.0.3 or higher for 9.x series.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts with directory traversal patterns (../)
- Unusual file deletion events in application logs
- Errors related to missing files in system logs
Network Indicators:
- HTTP POST requests to /index.php/ccm/system/file/upload containing directory traversal sequences
- Unusual patterns of file upload requests from authenticated users
SIEM Query:
source="web_server_logs" AND (uri_path="/index.php/ccm/system/file/upload" AND (http_method="POST" AND (content="../" OR content="..\\")))🔗 References
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
- https://hackerone.com/reports/1482280
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
- https://hackerone.com/reports/1482280
