Attack Chain

1. The attacker authenticates to the Schlix CMS application.
2. The attacker navigates to the block manager interface within the CMS.
3. The attacker crafts a malicious ZIP file containing a PHP file, commonly named packageinfo.inc, with the injected PHP code intended for execution.
4. The attacker uploads the malicious ZIP file as a new extension through the block manager.
5. The Schlix CMS processes the uploaded ZIP file and installs the “extension”.
6. The attacker navigates to the “About” tab of the installed extension through the CMS interface.
7. Accessing the “About” tab triggers the execution of the injected PHP code within the packageinfo.inc file.
8. The attacker achieves remote code execution on the server, potentially leading to complete system compromise.

Impact

Successful exploitation of CVE-2021-47964 allows an authenticated attacker to execute arbitrary PHP code on the affected Schlix CMS server. This can lead to complete system compromise, data theft, website defacement, or further lateral movement within the network. Given the ease of exploitation and the severity of the impact, organizations using Schlix CMS 2.2.6-6 are at significant risk.

Recommendation

• Upgrade to a patched version of Schlix CMS that addresses CVE-2021-47964, if available.
• Deploy the Sigma rule “Detect CVE-2021-47964 Exploitation — Malicious Extension Upload” to detect attempts to upload malicious ZIP files containing PHP code via the block manager.
• Monitor web server logs for POST requests to the block manager interface (/admin/) with suspicious ZIP file uploads, as indicated in the Sigma rule.
• Implement strict access control policies to limit who can upload and install extensions within the Schlix CMS environment.