JVNDB-2021-000105

PowerCMS XMLRPC API vulnerable to OS command injection

PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).

Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Alfasado Inc.

• PowerCMS 5.19 and earlier (PowerCMS 5 Series)
• PowerCMS 4.49 and earlier (PowerCMS 4 Series)
• PowerCMS 3.295 and earlier (PowerCMS 3 Series)

The developer states that PowerCMS 2 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.

[Updated on 2021 December 17] According to the developer, the patch released on 2021 October 22 was not sufficient to fix the vulnerability. Therefore, in the case of using XMLRPC API, apply the latest patch according to the information provided by the developer.

An arbitrary OS command may be executed by a remote attacker.

In the case that not using XMLRPC API:

• If using as CGI/FCGI
• Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
• If using in PSGI
• By setting environment variable RestrictedPSGIApp xmlrpc, prohibit XMLRPC application

In the case that using XMLRPC API:
[Upgrade the software and Apply the patch]
Update the software to the latest version, and then apply the patch according to the information provided by the developer.

[Apply the workaround]
If an update cannot be applied, applying the following workaround may mitigate the impact of this vulnerability.

• Restrict access to mt-xmlrpc.cgi (e.g. Restrict access only to trusted connection source, Set HTTP authentication)

Alfasado Inc.

• Alfasado Inc. : Alfasado Inc. website (in Japanese)

1. OS Command Injection(CWE-78) [IPA Evaluation]

1. CVE-2021-20850

1. JVN : JVN#17645965

• [2021/11/24]
    Web page was published
• [2021/12/21]
    Affected Products : Content was added