CVE-2020-35846 Overview
CVE-2020-35846 is a NoSQL Injection vulnerability affecting Agentejo Cockpit CMS versions prior to 0.11.2. The vulnerability exists in the Controller/Auth.php check function, which fails to properly validate user input before processing authentication requests. This allows unauthenticated attackers to inject malicious NoSQL operators through the authentication endpoint, potentially leading to authentication bypass and remote command execution.
Critical Impact
This vulnerability allows unauthenticated remote attackers to bypass authentication controls and potentially execute arbitrary commands on affected Cockpit CMS installations via crafted NoSQL injection payloads.
Affected Products
- Agentejo Cockpit versions prior to 0.11.2
- Cockpit CMS installations using the vulnerable Controller/Auth.php authentication component
- Systems running MongoLite database with vulnerable query handling in lib/MongoLite/Database.php
Discovery Timeline
- 2020-12-30 - CVE-2020-35846 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-35846
Vulnerability Analysis
This NoSQL Injection vulnerability stems from improper input validation in the authentication controller of Agentejo Cockpit CMS. The Controller/Auth.php file accepts user-supplied input for authentication without verifying that the user and password fields are string values. This oversight allows attackers to submit arrays or objects containing MongoDB query operators instead of simple string values.
When malicious operators such as $func, $fn, or $f are passed through the authentication parameters, they are processed by the MongoLite database layer without proper sanitization. The vulnerability is compounded by the fact that callable strings were accepted by the $func operator in lib/MongoLite/Database.php, enabling potential remote code execution through carefully crafted injection payloads.
The attack can be executed over the network without any authentication or user interaction, making it highly exploitable in internet-facing Cockpit CMS installations.
Root Cause
The root cause is twofold: First, the authentication controller in modules/Cockpit/Controller/Auth.php fails to validate that the user and password parameters are strings before processing. Second, the MongoLite database query handler in lib/MongoLite/Database.php accepts callable strings for the $func, $fn, and $f operators, allowing arbitrary function execution.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted HTTP POST requests to the Cockpit CMS authentication endpoint. By replacing the user or password parameter with an array containing NoSQL operators (such as $func with a callable payload), the attacker can bypass authentication checks or execute arbitrary code on the server. The attack is network-based and requires no prior authentication.
The following security patches were applied to address the vulnerability:
Authentication Input Validation (Auth.php):
if ($data = $this->param('auth')) {
+ if (!\is_string($data['user']) || !\is_string($data['password'])) {
+ return ['success' => false, 'error' => 'Pre-condition failed'];
+ }
+
if (isset($data['user']) && $this->app->helper('utils')->isEmail($data['user'])) {
$data['email'] = $data['user'];
$data['user'] = '';
Source: GitHub Commit
Callable String Restriction (MongoLite/Database.php):
case '$func' :
case '$fn' :
case '$f' :
- if (! \is_callable($b))
+ if (\is_string($b) || !\is_callable($b))
throw new \InvalidArgumentException('Function should be callable');
$r = $b($a);
break;
Source: GitHub Commit
Detection Methods for CVE-2020-35846
Indicators of Compromise
- HTTP POST requests to /auth/check or similar authentication endpoints containing array syntax in user or password parameters
- Requests with MongoDB operators such as $func, $fn, $f, $where, $regex, or $ne in authentication payloads
- Unusual error messages or responses from the authentication endpoint indicating type mismatches
- Evidence of command execution originating from the web server process following authentication attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block NoSQL injection patterns in POST parameters, particularly array-based payloads and MongoDB operators
- Monitor authentication endpoint logs for requests containing non-string data types or special characters indicative of injection attempts
- Deploy runtime application self-protection (RASP) solutions to detect injection attempts at the application layer
- Review web server access logs for repeated failed authentication attempts with unusual parameter structures
Monitoring Recommendations
- Enable verbose logging on the Cockpit CMS authentication module to capture detailed request information
- Set up alerts for authentication failures with error messages containing "Pre-condition failed" or "InvalidArgumentException"
- Monitor server processes for unexpected child processes spawned by the web server, which may indicate successful code execution
- Implement file integrity monitoring on Cockpit CMS core files to detect unauthorized modifications
How to Mitigate CVE-2020-35846
Immediate Actions Required
- Upgrade Agentejo Cockpit CMS to version 0.11.2 or later immediately
- If immediate upgrade is not possible, restrict access to the authentication endpoint using firewall rules or HTTP authentication
- Review server logs for evidence of exploitation attempts and investigate any suspicious activity
- Consider temporarily taking affected Cockpit CMS installations offline until patching is complete
Patch Information
Agentejo has released security patches in Cockpit CMS version 0.11.2 that address this vulnerability through multiple commits. The fixes include input type validation in the authentication controller and restrictions on callable strings in the MongoLite database layer. Apply all relevant security patches by upgrading to the latest version or applying the individual commits:
Workarounds
- Implement a reverse proxy or WAF rule to reject requests containing array syntax or MongoDB operators in authentication parameters
- Use network-level access controls to limit access to the Cockpit CMS admin interface to trusted IP addresses only
- Deploy an application-level input sanitization layer that enforces string-only values for authentication credentials
# Example nginx configuration to restrict authentication endpoint access
location /auth/check {
# Allow only trusted networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Pass to Cockpit CMS backend
proxy_pass http://cockpit_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
