We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Remote Code Execution due to code injection in slackero/phpwcms

Valid

Reported on

Aug 3rd 2022

Description

RCE in CP > ADMIN > site structure (it needs admin privilege)

Because of the typo in the sanitization. Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system() or other system function by php, so that's a RCE vulnerability.

And next few line, there is a correct one. But it still can be bypass through escape backslash.

Proof of Concept

To first typo sanitization, it's ‘; phpinfo(); //.

To second sanitization, it's \‘; phpinfo(); //.

And that's the demo video

Impact

Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system() or other system function by php, so that's said admin can control the full computer if phpwcms not setted properly.

We are processing your report and will contact the slackero/phpwcms team within 24 hours. a year ago
We have contacted a member of the slackero/phpwcms team and are waiting to hear back a year ago
Oliver Georgi validated this vulnerability a year ago
Shang Hung Wan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver Georgi marked this as fixed in 1.9.34 with commit 7efb45 a year ago
Oliver Georgi has been awarded the fix bounty
This vulnerability will not receive a CVE
act_structure.php#L85 has been validated
act_structure.php#L109 has been validated
to join this conversation