CVE-2022-45544 for SCHLIX CMS v2.2.7-2 is FALSE
The following is a response to CVE-2022-45544 (2022-11-09) authored by Francisco Marinho, who claimed that there is an "Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 [that] allows attacker to upload arbitrary files and execute arbitrary code." The analysis is incorrect due to the following reasons:
- You need an admin access and his proof of concept didn't demonstrate any unauthorized access to the Theme Manager within SCHLIX CMS.
- If you write a piece of code in the theme's index.php (e.g. system($_GET['tristao']) ) and upload it, of course you can execute it. In any PHP-based CMS where PHP code is allowed in the theme, you can write anything you want, including system ("rm -rf /") and this is NOT AN ERROR and there is NO UNEXPECTED BEHAVIOUR. You can test this with other PHP-based CMS such as Wordpress, Joomla, or Drupal and the behaviour is identical and this is NOT a vulnerability. If you want to disable a certain PHP function deemed dangerous, do it with disable_functions in php.ini.
- There is already a warning in the upload form that you should upload only from a trusted source. We're not responsible for any vulnerability caused by 3rd party plugins. See the second screenshot below.
Francisco's proof of concept, as described in https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md and https://www.youtube.com/watch?v=_0X6AzXmhrU, is as follows:
- Login with your account
- Access the directory in url http://[examplewebsite].com/admin/app/core.thememanager
- Download theme Superhero in https://www.schlix.com/extensions.releases/action/download/filename/theme_superhero-1.1.zip
- Unzip theme_superhero-1.1.zip
- Edit file in path superhero/themes/superhero/index.php, adding "system($_GET['tristao']);" on line three.
- Our response: You can add any code here because it's a PHP script. You can execute system ("rm -rf /") or whatever and it will call the system(...) function unless you disable it via php.ini.
- Our response: You can add any code here because it's a PHP script. You can execute system ("rm -rf /") or whatever and it will call the system(...) function unless you disable it via php.ini.
- Zip theme_superhero-1.1.zip
- Click in "INSTALL A PACKAGE"
- Our response: It prompts for the admin password again and there is a warning to upload files only from a trusted source and that we're not responsible for any security vulnerability caused by 3rd party plugins. This is why we put the warning here. People who have access to this are usually web developers who know what they're doing.
- Our response: It prompts for the admin password again and there is a warning to upload files only from a trusted source and that we're not responsible for any security vulnerability caused by 3rd party plugins. This is why we put the warning here. People who have access to this are usually web developers who know what they're doing.
- Upload theme_superhero-1.1.zip
- Active theme superhero
- Acess homepage index.php
Our response: You are an admin of this website and you put an arbitrary code in the theme file, which is index.php, and you should be able to execute it. This behaviour is the same whether you use Wordpress, Drupal, Joomla, or SCHLIX CMS.
Not only the analysis is faulty and demonstrated a lack of due dilligence and programming knowledge on the so called "pentester" part, we weren't even contacted to verify his claim, which is usually the standard procedure for reporting a vulnerability. We have dealt with much more professional and knowledgable individuals in the past and we will acknowledge if there is a vulnerability, but Francisco's analysis for CVE-2022-45544 is completely faulty.
It's best for security researchers to contact us first to validate a vulnerability before publishing it.