CVE-2018-7486 in Blue River Mura
Summary
by MITRE
Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m] approach, where executable.jpeg contains ColdFusion Markup Language code. This can be exploited in conjunction with a CKFinder feature that allows file upload.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/08/2020
The vulnerability identified as CVE-2018-7486 affects Blue River Mura CMS versions prior to v7.0.7029 and represents a critical remote code execution flaw stemming from inadequate input validation within the CMS's inline function call mechanism. This vulnerability specifically targets the [m] tag processing system that allows users to embed dynamic content through markup language syntax, creating a dangerous attack surface when combined with file upload capabilities. The flaw resides in the CMS's failure to properly sanitize or restrict file types and pathnames during the processing of these inline markup tags, enabling attackers to craft malicious payloads that can execute arbitrary code on the target system.
The technical exploitation of this vulnerability occurs through a carefully constructed inline function call that leverages the [m] tag syntax to include and execute files with specific extensions. Attackers can upload malicious files with extensions like .jpeg that actually contain ColdFusion Markup Language code, then reference these files through the vulnerable inline processing mechanism. The attack vector specifically involves using the [m]$.dspinclude("../pathname/executable.jpeg")[/m] syntax where the system processes the included file without proper validation of its content type or file extension, effectively treating the jpeg file as executable code. This approach exploits the CMS's lack of proper file type verification and path traversal restrictions, allowing attackers to bypass normal security controls.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with full control over the affected CMS instance and potentially the underlying server infrastructure. The vulnerability can be exploited through the CKFinder file upload feature, which allows attackers to upload malicious files to the server, then leverage the inline processing mechanism to execute these files. This combination creates a complete attack chain that can lead to complete system compromise, data theft, and potential lateral movement within network environments. The vulnerability affects organizations using older versions of Mura CMS, potentially exposing critical business applications and content management systems to unauthorized access and manipulation.
Organizations should immediately implement mitigations including upgrading to Mura CMS version 7.0.7029 or later, which includes proper input validation and file type restrictions for inline function calls. Additional protective measures should include implementing strict file upload restrictions, disabling unnecessary file upload features, and configuring proper access controls for CKFinder and inline processing functionality. The vulnerability aligns with CWE-22 Path Traversal and CWE-94 Code Injection, both classified under the OWASP Top Ten as critical security risks. From an ATT&CK perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1203 Exploitation for Client Execution, demonstrating how attackers can leverage content management system flaws to establish persistent access and execute malicious code within target environments.