Mura CMS was a popular open-source content management system (CMS) written in ColdFusion. While initially an open-source project maintained by blueriver.com, it was re-licensed as a closed-source cloud application with the release of Mura CMS v10 in 2020. There are forked open-source projects based on the last open-source release of Mura CMS 7.1, including Masa CMS – which is currently maintained at v7.4.
Mura CMS 7.x and Masa CMS versions v7.4.0-beta and earlier contain an authentication bypass vulnerability allowing an unauthenticated attacker to log in as any site member or system user. There is a conditional logic flaw in the “remember me” code. Simply, some well-formed steps can send arguments.userHash variable with no value, creating a true value when looking to see if arguments.userHash is empty or arguments.userHash equals the user’s hash. This is accomplished by passing an empty userHash cookie value if using Lucee, or passing in a single irrelevant character if Adobe ColdFusion.
For this article, I am only focusing on the open-source version. Mura CMS 10 has a different CVE (2022-47003). The Common Vulnerabilities and Exposures (CVE) database defined this vulnerability:
CVE-2022-47002 – Authentication Bypass Vulnerability in Masa CMS (Base Score: 9.8 CRITICAL)
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later
This vulnerability was reported to Mura Software and Masa CMS on November 28, 2022. Information to the general public was released on December 12, 2022 by Masa CMS and Mura CMS. On February 1, 2023 the CVE’s were published and on March 6th, 2023 the technical details of this issue were published.
If you are still wondering who uses Mura CMS, many websites got caught up in this unexpected switch-out and either doesn’t have the budget to rewrite the site currently or don’t have a priority reason to. Web Tech Survey and W3Techs have some interesting market share metrics.
How Do I Fix It?
There are a few options:
- Pay Mura CMS $5,000 for the patch as the affected versions are no longer supported
- Upgrade the the latest version of Masa CMS (Mura 7.1 easy, Mura 7.0 not as easy, Mura 6.x expect to rewrite/replace your site templates)
- Reach out to CF Webtools for assistance with a developer.
- Upgrade to the current version of commercial Mura.
- Change out some code seen below:
Mura 7.x
For Mura 7.0.x+ the file should be core/mura/login/loginManager.cfc. Earlier Mura 7.0.x should be in requirements/mura/login/loginManager.cfc.
Find: if ( !len(arguments.userHash) || arguments.userHash == rsUser.userHash ) {
Replace with: if ( len(arguments.userid) && len(arguments.userHash) && arguments.userHash == rsUser.userHash ) {
Mura 6.x
The file should be requirements/mura/login/loginManager.cfc
Find:
<cfif not len(arguments.userHash) or arguments.userHash eq rsUser.userHash>
<cfset isloggedin=variables.userUtility.loginByUserID(rsUser.userID,rsUser.siteID)>Replace With:
<cfif len(arguments.userHash) and arguments.userHash eq rsUser.userHash>
<cfset isloggedin=variables.userUtility.loginByUserID(rsUser.userID,rsUser.siteID)>Thank you to Hoya Haxa security research blog for the in-depth information. Read more details at Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002).
Keep in mind that Mura 6.x and Mura 7.x have other security vulnerabilities, so I would recommend either upgrading to the current https://www.masacms.com/Masa version or a different CMS such as ContentBox or Preside (Lucee only) if you wish to stay with an Open Source ColdFusion CMS.
Disclaimer: This is a community outreach to help those who need a fix. While these fixes should resolve the specific issue described, other factors may keep this vulnerability exposed. Be sure to test your implementation.
CVE-2017-15639 Any user can cause Mura CMS before version 6.2 to make an http request. (Base Score: 6.5 MEDIUM)
tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the “draggable feeds” feature.
Fixed Version(s): Mura 6.2
CVE-2017-8302 Cross-site scripting vulnerabilities (XSS) (Base Score: 5.4 MEDIUM)
Mura CMS before 7.0.6967 allows admin/?muraAction= XSS attacks, related to admin/core/views/carch/list.cfm, admin/core/views/carch/loadsiteflat.cfm, admin/core/views/cusers/inc/dsp_nextn.cfm, admin/core/views/cusers/inc/dsp_search_form.cfm, admin/core/views/cusers/inc/dsp_users_list.cfm, admin/core/views/cusers/list.cfm, and admin/core/views/cusers/listusers.cfm.
Fixed Version(s): ?
CVE-2018-7486 Access control vulnerability (Base Score: 7.2 HIGH)
Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m] approach, where executable.jpeg contains ColdFusion Markup Language code. This can be exploited in conjunction with a CKFinder feature that allows file upload.
Fixed Version(s): 7.0.7029
Chris Tierney 