Preemptive Clarification: No RCE Vulnerability in Upcoming April 3 Report

A security researcher reported that users with Edit Content Interface Only access can execute PHP in Breakdance.

Despite the clear warnings about this in the UI and the linked documentation, this has been accepted as an RCE report.

This is not a valid RCE report. 

By design, Breakdance’s Client Access feature allows those with Breakdance access to execute PHP.

The Client Access feature is off by default, and there is a security notice directly above the feature with more details. This security notice has been present since Client Access was introduced.

The reporting organization also advised the following, directly quoted from the report: “…if this must be supported, then we recommend adding an opt-in setting where the admin can define which user roles have the ability to define and execute the PHP code.” 

This is exactly how it currently works, and exactly how it has always worked.

Despite attempting to work with the reporting organization by following up via e-mail on February 15th[1], then on February 19th[2], and finally on February 22nd[3] explaining that their advised resolution is exactly how this feature has always worked, we received no reply other than a note that they would get back to us. 

The next communication received from the reporting organization was 5 weeks later, notifying us that they were publishing the report.

Even though the Client Access feature has always been optional, exactly as the security researchers advised it should be, there will be a published CVE reporting an RCE vulnerability in Breakdance 1.7.0 and below.

This is not an RCE vulnerability in Breakdance.

Client Access will continue to work as it always has.

[0]

[1]

[2]

[3]