April 2, 2024

Preemptive Clarification: No RCE Vulnerability in Upcoming April 3 Report

A security researcher reported that users with Edit Content Interface Only access can execute PHP in Breakdance.

Despite the clear warnings about this in the UI and the linked documentation, this has been accepted as an RCE report.

This is not a valid RCE report. 

By design, Breakdance’s Client Access feature allows those with Breakdance access to execute PHP.

The Client Access feature is off by default, and there is a security notice directly above the feature with more details. This security notice has been present since Client Access was introduced.

Screenshot of the security notice above the Client Access settings in Breakdance's UI.

The reporting organization also advised the following, directly quoted from the report: “…if this must be supported, then we recommend adding an opt-in setting where the admin can define which user roles have the ability to define and execute the PHP code.” 

This is exactly how it currently works, and exactly how it has always worked.

Despite attempting to work with the reporting organization by following up via e-mail on February 15th[1], then on February 19th[2], and finally on February 22nd[3] explaining that their advised resolution is exactly how this feature has always worked, we received no reply other than a note that they would get back to us. 

The next communication received from the reporting organization was 5 weeks later, notifying us that they were publishing the report.

Even though the Client Access feature has always been optional, exactly as the security researchers advised it should be, there will be a published CVE reporting an RCE vulnerability in Breakdance 1.7.0 and below.

This is not an RCE vulnerability in Breakdance.

Client Access will continue to work as it always has.

[0]

[1]

[2]

[3]

    Experience the Breakdance difference.

    Unlimited license.
    Unlimited websites.

    Get maximum flexibility with unlimited licensing and domain activations.

    60-day money back guarantee.
    No questions asked.

    Get your money back within 60 days of purchase, no questions asked. It's risk-free!

    Premium support.
    Get all the help you need.

    We offer premium support to ensure the ultimate customer experience.

    Just $299.99/year for
    unlimited sites.

    For a limited time, we're offering an unlimited site license for just $299.99/year. Buy now to lock in this price.

    Breakdance logo
    Made in Breakdance
    © Soflyy. All rights reserved