https://github.com/mbadanoiu/magnolia-8281

MAGNOLIA-8281: FreeMarker Restriction Bypass 2 in Magnolia CMS
https://github.com/mbadanoiu/magnolia-8281

0-day authenticated bypass remote-code-execution server-side-template-injection

Last synced: 4 months ago
JSON representation

MAGNOLIA-8281: FreeMarker Restriction Bypass 2 in Magnolia CMS

• Host: GitHub
• URL: https://github.com/mbadanoiu/magnolia-8281
• Owner: mbadanoiu
• Created: 2024-03-24T15:15:04.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-03-24T15:22:41.000Z (over 1 year ago)
• Last Synced: 2025-01-12T09:29:29.580Z (6 months ago)
• Topics: 0-day, authenticated, bypass, remote-code-execution, server-side-template-injection
• Homepage:
• Size: 3.19 MB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# MAGNOLIA-8281: FreeMarker Restriction Bypass 2 in Magnolia CMS

An issue in the FreeMarker Filter of Magnolia CMS v6.2.16 and below allows attackers to bypass security restrictions and read/write/move/copy/delete arbitrary files via a crafted FreeMarker payload. Arbitrary code execution was successfully achieved via writing arbitrary JSP files.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://docs.magnolia-cms.com/product-docs/6.2/releases/release-notes-for-magnolia-cms-6.2.17/).

### Why no CVE?

Neither me nor the vendor requested a CVE for these vulnerabilities.

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/MAGNOLIA-8281/blob/main/Magnolia%20CMS%20-%20MAGNOLIA-8281.pdf).

### Additional Resources:

The JSP code used to execute arbitrary system commands can be found [here](https://gist.github.com/nikallass/5ceef8c8c02d58ca2c69a29a92d2f461)