Published:2022/09/02  Last Updated:2022/09/02

JVN#76024879
PowerCMS XMLRPC API vulnerable to command injection

Overview

PowerCMS XMLRPC API contains a command injection vulnerability.

Products Affected

  • PowerCMS 6.021 and earlier (PowerCMS 6 Series)
  • PowerCMS 5.21 and earlier (PowerCMS 5 Series)
  • PowerCMS 4.51 and earlier (PowerCMS 4 Series)
The developer states that PowerCMS 3 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.

Description

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.

Impact

An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.

Solution

When XMLRPC API is NOT required: Disable XMLRPC API

  • If XMLRPC API is used as CGI/FastCGI
    • Delete mt-xmlrpc.cgi or remove execute permission of mt-xmlrpc.cgi
      • According to the developer, when PowerCMS environment variable XMLRPCScript is configured, the file may be renamed. In that case, implement this countermeasure to that renamed file
  • If XMLRPC API is used as PSGI
    • Configure environment variable RestrictedPSGIApp to prohibit XMLRPC application: RestrictedPSGIApp xmlrpc
When XMLRPC API should be kept available: Apply the patch
Apply the patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2022/09/02 Alfasado Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-33941
JVN iPedia JVNDB-2022-000069