CVE-2023-48217
📋 TL;DR
This vulnerability allows attackers to upload malicious PHP files disguised as images through Statamic's front-end forms and control panel asset uploads, bypassing MIME type validation. Successful exploitation could lead to remote code execution on affected Statamic CMS installations. All users running vulnerable versions with forms or asset upload features enabled are affected.
💻 Affected Systems
- Statamic CMS
📦 What is this software?
Statamic by Statamic
Statamic by Statamic
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through remote code execution, allowing attackers to steal data, deploy malware, or pivot to other systems.
Likely Case
Webshell deployment leading to data theft, defacement, or further exploitation of the hosting environment.
If Mitigated
File upload attempts are blocked or logged, preventing code execution while maintaining legitimate upload functionality.
🎯 Exploit Status
Exploitation requires only the ability to submit forms or upload assets, which are often publicly accessible features.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.14 or 4.34.0
Vendor Advisory: https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
Restart Required: No
Instructions:
1. Identify your Statamic version. 2. Update to 3.4.14 if using v3, or 4.34.0 if using v4. 3. Verify the update completed successfully. 4. Test form and asset upload functionality.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable all file upload functionality in forms and control panel until patching is possible.
Web server file type restrictions
linuxConfigure web server (Apache/Nginx) to block execution of uploaded PHP files.
For Apache: Add 'php_flag engine off' to upload directories .htaccess
For Nginx: Add 'location ~ \.php$ { deny all; }' to upload directory config
🧯 If You Can't Patch
- Implement strict file extension validation at the application level beyond MIME checking
- Deploy WAF rules to block uploads containing PHP code or suspicious file headers
🔍 How to Verify
Check if Vulnerable:
Check Statamic version via control panel or composer.json. Versions below 3.4.14 (v3) or 4.34.0 (v4) are vulnerable.Check Version:
php artisan statamic:versionVerify Fix Applied:
Confirm version is 3.4.14+ or 4.34.0+ and test that PHP files disguised as images are rejected during upload.📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts with PHP content
- Successful uploads of files with mismatched extensions and MIME types
- Access to uploaded files with .php extension
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious file contents
- Subsequent requests to uploaded files in upload directories
SIEM Query:
source="web_logs" AND (uri_path="*upload*" OR uri_path="*/assets/*") AND (http_method="POST" AND (content_type="image/*" AND body_contains="<?php"))🔗 References
- https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
- https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
- https://github.com/statamic/cms/commit/4c6fe041e2203a8033e5949ce4a5d9d6c0ad2411
- https://github.com/statamic/cms/security/advisories/GHSA-2r53-9295-3m86
