CVE-2023-41892 Overview
CVE-2023-41892 is a critical Remote Code Execution (RCE) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. This vulnerability allows unauthenticated attackers to execute arbitrary code on affected Craft CMS installations through improper handling of configuration parameters in the conditions controller. The attack requires no user interaction and can be exploited remotely over the network, making it a high-impact, low-complexity attack vector.
Critical Impact
Unauthenticated attackers can achieve complete system compromise through remote code execution, potentially leading to data theft, server takeover, and lateral movement within the network.
Affected Products
- Craft CMS versions prior to 4.4.15
- All Craft CMS 4.x installations running vulnerable versions
- Web servers hosting unpatched Craft CMS deployments
Discovery Timeline
- September 13, 2023 - CVE-2023-41892 published to NVD
- July 3, 2023 - Craft CMS releases security patch in version 4.4.15
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-41892
Vulnerability Analysis
This vulnerability (CWE-94: Improper Control of Generation of Code - Code Injection) exists in how Craft CMS processes configuration parameters through its conditions controller. The core issue lies in the application's failure to properly sanitize configuration arrays before processing them, allowing attackers to inject malicious event handlers or behaviors through specially crafted on X or as X configuration keys.
When user-supplied configuration data is passed to the ConditionsController.php without adequate sanitization, attackers can leverage Yii2's event/behavior system to execute arbitrary PHP code. The framework allows defining event handlers and behaviors through array configurations, and without proper cleansing, these become vectors for code injection.
Root Cause
The vulnerability stems from insufficient input validation in the conditions controller, where JSON-decoded configuration parameters were processed without filtering dangerous keys. Specifically, Yii2-based applications like Craft CMS allow objects to be configured with event handlers (on eventName) and behaviors (as behaviorName) through array configurations. The absence of a sanitization mechanism allowed attackers to inject these dangerous configuration keys and execute arbitrary code during object instantiation.
Attack Vector
The attack exploits the network-accessible conditions controller endpoint. An attacker sends a crafted HTTP request containing malicious configuration data with on X or as X keys embedded in the JSON payload. When Craft CMS processes this configuration to instantiate condition objects, the injected event handlers execute arbitrary PHP code with the privileges of the web server process. This requires no authentication, making every exposed Craft CMS instance a potential target.
// Patch from src/helpers/Component.php - The cleanseConfig function added in 4.4.15
// Source: https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
/**
* Cleanses a component config of any `on X` or `as X` keys.
*
* @param array $config
* @return array
* @since 4.4.15
*/
public static function cleanseConfig(array $config): array
{
foreach ($config as $key => $value) {
if (is_string($key) && (str_starts_with($key, 'on ') || str_starts_with($key, 'as '))) {
unset($config[$key]);
continue;
}
if (is_array($value)) {
$config[$key] = static::cleanseConfig($value);
}
}
return $config;
}
// Patch from src/controllers/ConditionsController.php - Applying cleanseConfig to user input
// Source: https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
$this->requireCpRequest();
- $baseConfig = Json::decodeIfJson($this->request->getBodyParam('config'));
+ $baseConfig = Component::cleanseConfig(Json::decodeIfJson($this->request->getBodyParam('config')));
$config = Component::cleanseConfig($this->request->getBodyParam($baseConfig['name']));
Detection Methods for CVE-2023-41892
Indicators of Compromise
- Unusual HTTP POST requests to /actions/conditions/* endpoints containing on or as keys in JSON payloads
- Web server logs showing requests to the conditions controller from unexpected sources or with malformed configuration data
- Unexpected PHP processes spawned by the web server or anomalous system commands executed under the web server user context
- New or modified files in Craft CMS directories, particularly PHP files with suspicious content
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing on or as patterns in JSON request bodies targeting Craft CMS endpoints
- Deploy endpoint detection solutions like SentinelOne to identify post-exploitation activities such as unauthorized process creation or file system modifications
- Configure intrusion detection systems to alert on unusual traffic patterns to Craft CMS administrative or API endpoints
- Establish baseline behavior for Craft CMS application processes and alert on deviations
Monitoring Recommendations
- Enable detailed access logging for all Craft CMS endpoints and forward logs to a SIEM for correlation and analysis
- Monitor for unexpected outbound connections from web servers that could indicate command-and-control communication following exploitation
- Set up file integrity monitoring for Craft CMS installation directories to detect unauthorized modifications
- Review web server error logs for PHP errors or exceptions that may indicate exploitation attempts
How to Mitigate CVE-2023-41892
Immediate Actions Required
- Upgrade all Craft CMS installations to version 4.4.15 or later immediately
- Audit web server logs for potential exploitation attempts targeting the conditions controller endpoints
- Conduct a security review of affected systems to identify any signs of compromise
- Consider temporarily restricting access to Craft CMS administrative endpoints via network-level controls until patching is complete
Patch Information
Craft CMS has released version 4.4.15 which addresses this vulnerability through multiple security commits. The fix introduces a cleanseConfig() function in src/helpers/Component.php that recursively removes any on X or as X keys from configuration arrays before they are processed. Additionally, the controller execution order was corrected in several controllers to ensure proper authentication checks run before any user-supplied data is processed.
For detailed patch information, see:
Workarounds
- Deploy a WAF rule to block requests containing on or as patterns in request bodies targeting Craft CMS endpoints as a temporary measure
- Restrict network access to Craft CMS administrative and API endpoints to trusted IP addresses only
- If patching is not immediately possible, consider taking vulnerable Craft CMS installations offline until updates can be applied
- Implement additional monitoring and alerting for any activity targeting the conditions controller
# Example nginx configuration to restrict access to Craft CMS admin endpoints
# Add to server block configuration
location ~* ^/admin {
# Allow only trusted IP addresses
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
# Pass to PHP-FPM
try_files $uri $uri/ /index.php?$query_string;
}
# Block suspicious patterns in request bodies (requires ngx_http_lua_module)
# location / {
# access_by_lua_block {
# ngx.req.read_body()
# local body = ngx.req.get_body_data()
# if body and (string.find(body, '"on ') or string.find(body, '"as ')) then
# ngx.exit(403)
# end
# }
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
