<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Chyrp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/chyrp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/chyrp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Chyrp Lite Path Traversal Vulnerability Leads to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-chyrp-lite-path-traversal/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-chyrp-lite-path-traversal/</guid><description>A path traversal vulnerability in Chyrp Lite blogging engine prior to version 2026.01 allows an administrator or a user with Change Settings permission to download arbitrary files, including configuration files containing database credentials, and overwrite critical system files, leading to remote code execution.</description><content:encoded><![CDATA[<p>Chyrp Lite, an ultra-lightweight blogging engine, is vulnerable to a path traversal attack in versions prior to 2026.01. This vulnerability exists within the administration console, specifically affecting the handling of upload paths. An authenticated administrator, or a user with the 'Change Settings' permission, can manipulate the application to modify the designated uploads path to any directory on the server. This manipulation allows for the potential download of sensitive files, such as <code>config.json.php</code>, which contains database credentials. Furthermore, it enables the overwriting of critical system files. Successful exploitation of this vulnerability leads to remote code execution, making it a critical risk for organizations utilizing affected versions of Chyrp Lite. Update to version 2026.01 or later to remediate this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the Chyrp Lite administration console, either as an administrator or as a user with 'Change Settings' permissions.</li>
<li>The attacker navigates to the settings page within the administration console.</li>
<li>The attacker modifies the uploads path setting, using path traversal techniques (e.g., &quot;../&quot;) to point to an arbitrary directory on the server.</li>
<li>The attacker leverages the modified uploads path to download sensitive files, such as <code>config.json.php</code>, which contains database credentials. This can be achieved by uploading a file to the manipulated path, and then accessing it via a crafted URL, or by directly requesting the file if webserver access is permitted for that directory.</li>
<li>The attacker gains access to the database credentials stored in <code>config.json.php</code>.</li>
<li>The attacker uses the compromised database credentials to gain further access to the Chyrp Lite system.</li>
<li>The attacker leverages the file upload functionality, combined with the path traversal vulnerability, to overwrite critical system files with malicious code (e.g., PHP webshell).</li>
<li>The attacker executes the malicious code via a web request, achieving remote code execution on the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-35174 allows an attacker to gain complete control of the Chyrp Lite server. This can lead to data breaches involving sensitive information stored in the database, defacement of the blog, or the server being used as a platform for further malicious activities. The CVSS v3.1 base score for this vulnerability is 9.1, indicating its critical severity. The number of potential victims depends on the number of organizations using vulnerable versions of Chyrp Lite, which is an ultra-lightweight blogging engine, suggesting a smaller installation base than larger CMS platforms.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade Chyrp Lite to version 2026.01 or later to patch CVE-2026-35174.</li>
<li>Monitor web server logs for suspicious requests containing path traversal sequences (e.g., &quot;../&quot;) targeting the Chyrp Lite installation directory to detect exploitation attempts. Deploy the provided Sigma rule <code>Detect Chyrp Lite Path Traversal Attempts</code> to your SIEM.</li>
<li>Implement strict access control policies on the Chyrp Lite server, limiting the number of users with 'Change Settings' permissions.</li>
<li>Review the configuration of your Chyrp Lite installation to ensure proper file permissions and restrict web server access to sensitive files such as <code>config.json.php</code>. Deploy the provided Sigma rule <code>Detect Access to Sensitive Chyrp Lite Configuration File</code> to your SIEM.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>chyrp-lite</category><category>path-traversal</category><category>rce</category><category>cve-2026-35174</category></item></channel></rss>