The following post details two critical security vulnerabilities found in versions of Mautic before 5.2.3: Remote Code Execution (RCE) via Asset Upload, and Path Traversal File Deletion. It provides code snippets and links to original references, as well as exploit information to better understand these vulnerabilities. The content is written in simple American language and is exclusive for readers.
Mautic, an open source marketing automation platform, has been found to have two critical security vulnerabilities in versions before 5.2.3. These vulnerabilities allow authenticated users to potentially exploit Remote Code Execution (RCE) via Asset Upload and Path Traversal File Deletion. This advisory aims to provide a brief overview of the vulnerabilities, share the affected code snippets, offer links to the original references, and outline the exploit details for those interested in learning more about these issues.
Remote Code Execution (RCE) via Asset Upload
A Remote Code Execution vulnerability exists in Mautic's asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. This could be exploited by an authenticated user, leading to unauthorized access and control over the server running Mautic.
Code snippet
// Mautic's AssetController
public function uploadAction(Request $request)
{
//...
$extension = pathinfo($filename, PATHINFO_EXTENSION);
if (!in_array($extension, $this->allowedExtensions)) {
// File extension not allowed
//...
} else {
// Upload file
//...
}
}
In the above code snippet, the system checks for allowed file extensions but does not enforce a strict checking, allowing attackers to bypass the restrictions.
More information about this vulnerability can be found in the references: RCE via Asset Upload in Mautic.
Path Traversal File Deletion
A Path Traversal vulnerability has been identified in the upload validation process in Mautic. Improper handling of path components allows an authenticated user to manipulate the file deletion process and delete arbitrary files on the host system.
Code snippet
// Mautic's AssetController
public function deleteAction(Request $request, $file)
{
//...
$filepath = $this->get('mautic.helper.paths')->getSystemPath('assets').'/'.$file;
if (file_exists($filepath)) {
unlink($filepath);
//...
}
}
As seen in the code snippet, the filepath is built using the user-supplied '$file' without proper validation, leading to the Path Traversal vulnerability.
More information about this vulnerability can be found in the references: Path Traversal, File Deletion in Mautic.
Exploit Details
Both vulnerabilities require an attacker to be authenticated to Mautic. Once authenticated, the attacker can exploit these vulnerabilities by crafting specific requests to either upload an executable file (RCE) or delete arbitrary files (Path Traversal).
Users of Mautic are strongly recommended to update their installations to version 5.2.3 or later, which addresses these critical vulnerabilities. Further information regarding the update can be found in the official Mautic changelog: Mautic 5.2.3 Release Notes.
In conclusion, it is imperative to take these vulnerabilities seriously and update your Mautic installations immediately. Regularly updating your software and staying informed about potential security issues is a critical step in maintaining a secure environment.
Timeline
Published on: 02/26/2025 13:15:39 UTC