CVE-2024-52291: 
PHP vulnerability analysis and mitigation

A vulnerability in CraftCMS (CVE-2024-52291) allows attackers to bypass local file system validation by utilizing a double file:// scheme. The vulnerability was discovered and disclosed on November 13, 2024, affecting CraftCMS versions 5.0.0-RC1 through 5.4.5.1 and 4.0.0-RC1 through 4.12.4.1. This security flaw requires an authenticated administrator account with allowAdminChanges enabled to be exploited (GitHub Advisory).

The vulnerability exists in the FileHelper.php file where the file system validation only removes the leftmost file:// protocol wrapper. This can be bypassed by using a double file:// scheme (e.g., file://file:////), allowing attackers to specify sensitive folders as the file system. The issue has been assigned a CVSS v3.1 base score of 8.4 HIGH (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H) and is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, GitHub Advisory).

The vulnerability enables attackers to perform file overwriting through malicious uploads, gain unauthorized access to sensitive files, and potentially achieve remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Attackers can assign sensitive folders as the base path of the filesystem, potentially uploading tampered files to overwrite critical web application files or retrieve sensitive configuration files from the local file system (GitHub Advisory).

The vulnerability has been fixed in CraftCMS versions 5.4.6 and 4.12.5. Users are strongly advised to upgrade to these patched versions. As a general security practice, it is recommended to set allowAdminChanges to false in production environments (GitHub Advisory).