Executive Summary

This vulnerability in Webedition CMS v2.9.8.8 allows an authenticated attacker to execute arbitrary system commands on the server by creating a new PHP page and injecting malicious PHP code into the description field. Specifically, the attacker logs into the CMS, selects PHP as the page type, and inserts system commands in the description, which are then executed by the server, leading to remote code execution. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a full compromise of the affected server because an attacker with valid credentials can execute arbitrary system commands remotely. This can result in unauthorized access, data theft, server manipulation, or disruption of services. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious PHP page creations in the Webedition CMS, especially pages where the Description field contains PHP system commands. One way to detect exploitation attempts is to monitor HTTP POST requests to the endpoint `/webEdition/we_cmd.php` with parameters indicating PHP page creation and suspicious payloads such as `<?php echo system("cat /etc/passwd");?>`. Additionally, reviewing newly created PHP pages for injected system commands can help identify exploitation. Network monitoring tools can be configured to alert on such POST requests or unusual PHP code injections. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Webedition CMS to only trusted and authenticated users with the necessary privileges, as the vulnerability requires authenticated access. Disable or restrict the ability to create PHP pages or inject PHP code via the Description field if possible. Applying any available patches or updates from the vendor is recommended. Additionally, monitoring and auditing CMS activity for suspicious page creations and commands can help detect exploitation attempts early. [1, 2]

Useful 0 Not Useful 0