CVE-2023-2017 - Dangerous Server-side Template Injection (SSTI) in Shopware 6 — Practical Exploit & Analysis

Shopware is a popular e-commerce platform used by thousands of businesses worldwide. In 2023, a critical security flaw known as CVE-2023-2017 was discovered, allowing remote attackers to execute arbitrary code on vulnerable Shopware 6 installations. This vulnerability affects Shopware version 6.4.20. and earlier, and certain release candidates of the 6.5 series. The exploit relies on a *Server-side Template Injection (SSTI)* in the Twig templating system, offering potential attackers a dangerous pathway straight to your server.

Let’s break down what’s happening, how this code execution was possible, and how to protect your Shopware instance.

Impact: Remote Code Execution (RCE)

- Exploit Scope: Anyone with access to a Twig environment (unsandboxed) can execute arbitrary PHP functions

Fixed in: Shopware 6.4.20.1 and later

- Bypass Of: CVE-2023-22731
- Original Discovery: Shopware Security Advisory SA-2023-06

How Shopware Uses Twig

Shopware relies heavily on the Twig templating engine for rendering dynamic content and templates. Insecure use of Twig—especially in administrative areas or plugin systems—can lead to code execution if user-supplied content is evaluated without strong isolation.

SecurityExtension and Its Role

Shopware attempts to protect Twig by using the Shopware\Core\Framework\Adapter\Twig\SecurityExtension. This tries to limit which functions can be called from within templates.

The Bypass

Older Shopware versions tried to fix a similar issue (see CVE-2023-22731) but missed an edge case: fully qualified class names supplied as an array of strings when referencing callables. This means the bypass does not use the classic function('phpinfo') trick, but instead uses the array callable syntax (which PHP allows).

If the Twig environment does not have the Sandbox extension enabled (which is often the case), template authors or attackers with template access can execute basically any PHP function—even with the supposed SecurityExtension in place.

Practical Exploit Example

Suppose a user has access to input that is rendered in a Twig template. The following snippet shows how an attacker can call arbitrary PHP functions, such as system or phpinfo, sidestepping Shopware’s intended restrictions.

Example: Execute a Shell Command

{# Dangerous Twig payload #}
{{ ["system"]("ls -al /") }}

Explanation:

Similarly, arbitrary functions can be called

{{ ["phpinfo"]() }}

or  

{{ ["file_put_contents"]("/tmp/hacked", "You got owned!") }}

Why Is This So Dangerous?

- Remote attackers can execute server commands: The attacker only needs Twig template access—which is often possible for plugin developers or compromised admins.
- Bypasses security checks: Shopware’s previous patch only blocked simple calls, failing to consider callable arrays.

Technical Deep Dive

Relevant vulnerable code location:  
SecurityExtension in Shopware/core

public function call($callable, ...$arguments)
{
    if (is_string($callable)) {
        // Validation here (incomplete: array callables are missed)
    }
    // ...
    return call_user_func_array($callable, $arguments);
}

How Was It Fixed?

Shopware 6.4.20.1 applies proper filtering and validation for *all callable formats*, including array-based callables.  
See the fix:  
- Shopware Platform Security Fix PR
- Shopware Core Security Fix PR

Upgrade Immediately:

If you’re running any vulnerable Shopware version (<= 6.4.20. or 6.5..-rc1 to rc4), upgrade to at least 6.4.20.1.

Restrict Twig Access:

Ensure only trusted users/plugins can inject or modify templates.

Consider Enabling Twig’s Sandbox Extension:

If using templates editable by users or external parties, enable Twig’s Sandbox Extension for even stricter isolation.

Audit Plugins:

Third-party or custom plugins/templates may expose additional risks. Audit them or restrict their permissions.

References

- nvd.nist.gov: CVE-2023-2017
- Shopware Security Advisory SA-2023-06
- Shopware Core Vulnerability Patch
- Twig Sandbox Extension

Final Thoughts

CVE-2023-2017 is a great example of how subtle issues in template engines can have catastrophic impacts. If you run Shopware, patch now! If you write software based on Twig (or any template language), always assume user-supplied templates or data should be considered hostile. Enable sandboxes, restrict callable functions, and keep up-to-date with security advisories.

Stay safe, and always test your security! 🚨


*If you found this helpful, share it with your team and keep your software secure!*

Timeline

Published on: 04/17/2023 11:15:00 UTC
Last modified on: 04/28/2023 14:27:00 UTC