Skip to content

Missing server signature validation in OctoberCMS

Moderate severity GitHub Reviewed Published Feb 23, 2022 in octobercms/october • Updated Feb 3, 2023

Package

composer october/system (Composer)

Affected versions

>= 1.1.0, < 1.1.11
< 1.0.475

Patched versions

1.1.11
1.0.475

Description

Impact

This advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server.

It has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS marketplace service. The compromised gateway captures the personal/business information of users and authors, including private source code files. It was also disclosed that captured plugin files are freely redistributed to other users without authorization.

  1. End-users are provided with a forked version of October CMS v1.0. The provided software is modified to use a compromised gateway server.

  2. The user is instructed to enter their October CMS license key into the administration panel to access the October CMS marketplace. The key is sent to the compromised server while appearing to access the genuine October CMS gateway server.

  3. The compromised gateway server uses a "man in the middle" mechanism that captures information while forwarding the request to the genuine October CMS gateway and relaying the response back to the client.

  4. The compromised gateway server stores the license key and other information about the user account including client name, email address and contents of purchased plugins and privately uploaded plugin files.

  5. The stored plugin files are made available to other users of the compromised gateway server.

Patches

The issue has been patched in Build 475 (v1.0.475) and v1.1.11.

Workarounds

Apply octobercms/october@e3b455a to your installation manually if unable to upgrade to Build 475 or v1.1.11.

Recommendations

We recommend the following steps to make sure your account information stays secure:

  • Do not share your license key with anyone except October CMS.
  • Check to make sure that your gateway update server has not been modified.
  • Be aware of phishing websites, including other platforms that use the same appearance.
  • For authors, you may contact us for help requesting the removal of affected plugins.
  • Before providing plugin support, verify that the user holds a legitimate copy of the plugin.

References

Credits for research on this exploit:
• Nikita Khaetsky

For more information

If you have any questions or comments about this advisory:

References

@daftspunk daftspunk published to octobercms/october Feb 23, 2022
Published by the National Vulnerability Database Feb 24, 2022
Published to the GitHub Advisory Database Feb 24, 2022
Reviewed Feb 24, 2022
Last updated Feb 3, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS score

0.128%
(48th percentile)

Weaknesses

CVE ID

CVE-2022-23655

GHSA ID

GHSA-53m6-44rc-h2q5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.