Room for Escape: Scribbling Outside the Lines of Template Security Oleksandr Mirosh (
[email protected]) & Alvaro Muñoz (
[email protected]) Abstract Now more than ever, digital communication and collaboration are essential to the modern human experience. People around the globe work together online as they share information, create documents, send emails, and collaborate on spreadsheets and presentations. Shared digital content is everywhere and networked communication platforms and software play a crucial role. Content Management Systems (CMS) allow the user to design, create, modify, and visualize dynamic content. For many companies, CMS platforms are pivotal to their content pipelines and workforce collaboration. In our research, we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms where users can create or modify templates for dynamic content. In today's multi-tenancy ecosystems, this often implies that a co-tenant on the same system can take over control of the CMS resources on which your organization relies. Using Microsoft Sharepoint and a variety of Java template engines as our main CMS attack surface, we combined implementation and design flaws with framework and language specific features to find more than twenty unique RCE vulnerabilities in Microsoft Sharepoint, Atlassian Confluence, Alfresco, Liferay, Crafter CMS, dotCMS, XWiki, Apache Ofbiz, and more. This paper presents our analysis of how these products and frameworks implement security controls and reviews techniques we used to bypass them. We describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks where unprivileged users can run arbitrary commands on SharePoint or Liferay servers.