CVE-2020-35847 Overview
CVE-2020-35847 is a critical NoSQL injection vulnerability affecting Agentejo Cockpit CMS versions prior to 0.11.2. The vulnerability exists in the Controller/Auth.phpresetpassword function, which fails to properly validate user-supplied input before using it in database queries. This allows unauthenticated attackers to inject malicious NoSQL operators and potentially compromise the entire application, including extracting sensitive data or achieving remote code execution.
Critical Impact
This NoSQL injection vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms, extract sensitive user data, and potentially achieve remote command execution on vulnerable Cockpit CMS installations.
Affected Products
- Agentejo Cockpit versions prior to 0.11.2
Discovery Timeline
- 2020-12-30 - CVE-2020-35847 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-35847
Vulnerability Analysis
This NoSQL injection vulnerability affects Cockpit CMS, a self-hosted headless content management system built on MongoDB/MongoLite. The flaw resides in the authentication module, specifically within the password reset functionality implemented in Controller/Auth.php. The application fails to enforce type checking on user-supplied parameters, allowing attackers to submit NoSQL query operators instead of expected string values.
The vulnerability is particularly dangerous because it targets an unauthenticated endpoint. Attackers can craft malicious requests containing MongoDB query operators such as $func, $fn, or $f to execute arbitrary callable functions. This can lead to authentication bypass, sensitive data extraction, and in combination with other techniques, remote command execution on the underlying server.
Public exploits are available through resources such as Packet Storm, demonstrating the practical exploitability of this vulnerability.
Root Cause
The root cause of this vulnerability is improper input validation in the authentication controller. The resetpassword function accepts user-controlled data and passes it directly to MongoDB queries without verifying that the input is of the expected string type. The MongoLite database abstraction layer also allowed callable strings to be passed to special query operators ($func, $fn, $f), which could then be executed as PHP functions.
The following security patches demonstrate the fixes applied:
Patch 1: Adding type validation in Auth.php
if ($data = $this->param('auth')) {
+ if (!\is_string($data['user']) || !\is_string($data['password'])) {
+ return ['success' => false, 'error' => 'Pre-condition failed'];
+ }
+
if (isset($data['user']) && $this->app->helper('utils')->isEmail($data['user'])) {
$data['email'] = $data['user'];
$data['user'] = '';
Source: GitHub Commit - Auth.php Fix
Patch 2: Preventing callable strings in MongoLite
case '$func' :
case '$fn' :
case '$f' :
- if (! \is_callable($b))
+ if (\is_string($b) || !\is_callable($b))
throw new \InvalidArgumentException('Function should be callable');
$r = $b($a);
break;
Source: GitHub Commit - MongoLite Fix
Attack Vector
The attack is network-based and can be executed by unauthenticated remote attackers. The attacker sends a specially crafted HTTP request to the Cockpit CMS password reset endpoint, replacing expected string parameters with arrays containing NoSQL query operators. These operators can manipulate query logic to bypass authentication, enumerate users, extract password reset tokens, or execute arbitrary PHP functions.
The attack requires no user interaction and can be automated, making it highly attractive for mass exploitation campaigns against exposed Cockpit CMS instances.
Detection Methods for CVE-2020-35847
Indicators of Compromise
- Unusual HTTP POST requests to /auth/resetpassword or similar authentication endpoints containing array parameters instead of string values
- Web server logs showing requests with MongoDB operators such as $func, $fn, $f, $regex, or $ne in POST body or query parameters
- Multiple failed or anomalous password reset attempts from the same source IP
- Evidence of data exfiltration or unauthorized administrative access following authentication endpoint abuse
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block requests containing NoSQL injection patterns such as $gt, $ne, $func, and similar MongoDB operators
- Implement application-level logging to capture and alert on non-string input types submitted to authentication endpoints
- Monitor for unusual patterns in authentication-related API endpoints, including high volumes of password reset requests
- Use intrusion detection systems (IDS) with signatures for known Cockpit CMS exploitation attempts
Monitoring Recommendations
- Enable verbose logging for the Cockpit CMS application to capture all authentication-related events
- Set up real-time alerting for web application firewall blocks related to injection attempts
- Monitor network traffic for connections to suspicious external destinations following authentication endpoint access
- Implement file integrity monitoring to detect unauthorized modifications to Cockpit CMS files
How to Mitigate CVE-2020-35847
Immediate Actions Required
- Upgrade Agentejo Cockpit CMS to version 0.11.2 or later immediately
- If immediate patching is not possible, temporarily disable the password reset functionality or restrict access to authentication endpoints
- Review web server access logs for evidence of exploitation attempts
- Rotate all user passwords and API tokens if compromise is suspected
- Consider temporarily taking the application offline if running a vulnerable version in a production environment
Patch Information
Agentejo has released security patches addressing this vulnerability in version 0.11.2. The fixes include proper type validation for user-supplied authentication parameters and restrictions on callable functions in the MongoLite database layer. Organizations should upgrade to the latest version available from the official Cockpit CMS website or apply the specific commits from the GitHub repository.
Workarounds
- Implement a reverse proxy or WAF rule to reject requests containing array parameters in authentication endpoints
- Add custom PHP validation code to check input types before processing authentication requests
- Restrict network access to the Cockpit CMS administrative interface using IP whitelisting
- Deploy rate limiting on authentication endpoints to slow automated exploitation attempts
# Example nginx WAF-style configuration to block NoSQL injection patterns
location /auth/ {
# Block requests containing MongoDB operators in the body
if ($request_body ~* "\$func|\$fn|\$f|\$ne|\$gt|\$regex") {
return 403;
}
proxy_pass http://cockpit_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
