Attack Chain

1. Attacker authenticates to the TextPattern CMS 4.8.7 application with valid credentials.
2. Attacker navigates to the “Files” section within the content area of the CMS.
3. Attacker uploads a malicious PHP file (webshell) through the file upload functionality. This file contains PHP code designed to execute system commands.
4. The CMS saves the uploaded file to the /textpattern/files/ directory.
5. Attacker crafts a malicious HTTP GET request to access the uploaded PHP file (e.g., /textpattern/files/shell.php).
6. The GET request includes parameters that are passed to the system function within the uploaded PHP file (e.g., /textpattern/files/shell.php?cmd=id).
7. The server executes the system command specified in the GET parameter via the system function.
8. The output of the executed command is returned to the attacker in the HTTP response, allowing the attacker to gain command execution on the server.

Impact

Successful exploitation of this vulnerability grants the attacker the ability to execute arbitrary commands on the web server. This could lead to complete compromise of the server, data exfiltration, defacement of the website, or further lateral movement within the network. While the specific number of affected installations is unknown, any TextPattern CMS 4.8.7 instance with authenticated users is potentially vulnerable.

Recommendation

• Apply available patches or upgrade to a secure version of TextPattern CMS to remediate CVE-2021-47943.
• Deploy the Sigma rule “Detect CVE-2021-47943 TextPattern File Upload RCE” to detect attempts to exploit this vulnerability by monitoring for access to uploaded PHP files in the /textpattern/files/ directory.
• Implement strict file upload policies, including file type validation and size limits, to prevent the upload of malicious files.
• Restrict access to the /textpattern/files/ directory to authorized users only.