Room for Escape: Scribbling Outside the Lines of Template Security

Conference:  Defcon 28



The presentation discusses the security vulnerabilities found in content management systems and template engines, and the need for security testing and reduction of attack surface.
  • 30 new vulnerabilities were found and reported to the vendors
  • 20 different products are affected
  • Content management systems should be on the radar of red teams
  • Template for dynamic content that can be managed by user is the main target in such systems
  • Specific areas with higher risk from security point of view should be reviewed and tested
  • Reduce attack surface as much as possible
The presenters found a vulnerability in SharePoint server where attackers were able to perform arbitrary execution attack using an object data source control and calculator. This highlights the need for security testing and reduction of attack surface in content management systems.


Now more than ever, digital communication and collaboration are essential to the modern human experience. Shared digital content is everywhere and Content Management Systems (CMS) play a crucial role allowing users to design, create, modify and visualize dynamic content. In our research we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms through which an attacker can take full control of the resources your organization relies on. Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we discovered ways to escape template sandboxes of the most popular Java Template engines and achieved RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, XWiki, Apache OfBiz, and more. We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks. Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.



Post a comment

Related work

Conference:  Black Hat Asia
Authors: Xu Yuanzhen, Peter Mularien

Conference:  Defcon 31
Authors: Nils Amiet Lead Prototyping Engineer at Kudelski Security, Marco Macchetti Principal Cryptographer at Kudelski Security