Remote Code Execution due to code injection in slackero/phpwcms

Valid

Reported on

Aug 3rd 2022


Description

RCE in CP > ADMIN > site structure (it needs admin privilege)

Because of the typo in the sanitization. Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system() or other system function by php, so that's a RCE vulnerability.

And next few line, there is a correct one. But it still can be bypass through escape backslash.

Proof of Concept

To first typo sanitization, it's ‘; phpinfo(); //.

To second sanitization, it's \‘; phpinfo(); //.

And that's the demo video

Impact

Anyone who has admin privilege can edit “site structure”, bypass it and execute php code. And we can execute system() or other system function by php, so that's said admin can control the full computer if phpwcms not setted properly.

We are processing your report and will contact the slackero/phpwcms team within 24 hours. 2 months ago
We have contacted a member of the slackero/phpwcms team and are waiting to hear back 2 months ago
Oliver Georgi validated this vulnerability 2 months ago
a24230928 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver Georgi confirmed that a fix has been merged on 7efb45 2 months ago
Oliver Georgi has been awarded the fix bounty
act_structure.php#L85 has been validated
act_structure.php#L109 has been validated
to join this conversation