CVE-2007-6548 in RunCMS
Summary
by MITRE
Multiple direct static code injection vulnerabilities in RunCMS before 1.6.1 allow remote authenticated administrators to inject arbitrary PHP code via the (1) header and (2) footer parameters to modules/system/admin.php in a meta-generator action, (3) the disclaimer parameter to modules/system/admin.php in a disclaimer action, (4) the disclaimer parameter to modules/mydownloads/admin/index.php in a mydownloadsConfigAdmin action, (5) the disclaimer parameter to modules/newbb_plus/admin/forum_config.php, (6) the disclaimer parameter to modules/mylinks/admin/index.php in a myLinksConfigAdmin action, or (7) the intro parameter to modules/sections/admin/index.php in a secconfig action, which inject PHP sequences into (a) sections/cache/intro.php, (b) mylinks/cache/disclaimer.php, (c) mydownloads/cache/disclaimer.php, (d) newbb_plus/cache/disclaimer.php, (e) system/cache/disclaimer.php, (f) system/cache/footer.php, (g) system/cache/header.php, or (h) system/cache/maintenance.php in modules/.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/13/2024
This vulnerability represents a critical code injection flaw in RunCMS version 1.6.1 and earlier, where authenticated administrators can execute arbitrary PHP code through multiple injection points. The vulnerability stems from insufficient input validation and sanitization of user-supplied parameters in various administrative interfaces. Attackers with administrative privileges can manipulate header, footer, disclaimer, and intro parameters through specific URLs to inject malicious PHP code that gets executed when cached files are processed. The affected parameters are processed through meta-generator, disclaimer, and configuration actions in multiple modules including system, mydownloads, newbb_plus, mylinks, and sections. This creates a persistent code execution vector that allows attackers to inject malicious code into cached files such as sections/cache/intro.php, mylinks/cache/disclaimer.php, and system/cache/header.php among others. The vulnerability directly maps to CWE-94, which describes improper control of generation of code, and specifically relates to CWE-95, which deals with improper neutralization of special elements used in PHP code. The attack vector operates through the ATT&CK technique T1059.007, specifically PHP code injection, where attackers leverage administrative access to inject malicious code into the application's execution environment. The impact extends beyond immediate code execution to include potential privilege escalation, data exfiltration, and system compromise. The vulnerability exists because the application fails to properly validate and sanitize user input before storing it in cached files, creating a persistent backdoor that can be triggered whenever the cached files are accessed. The affected modules demonstrate a pattern of insecure parameter handling in administrative interfaces where user input directly influences the content of cached PHP files. This represents a classic case of insecure direct object reference combined with code injection, where the cached file paths serve as direct references to executable code locations. The vulnerability allows for persistent code execution because the injected PHP code is stored in cache files that are executed on subsequent page loads, making it particularly dangerous for long-term system compromise. The exploitation requires only administrative access, which is often more easily obtained through other attack vectors such as credential theft or privilege escalation. This vulnerability also represents a failure in the principle of least privilege, as authenticated administrators should not be able to inject arbitrary code into the system's core functionality. The cached file injection points create multiple attack surfaces where malicious code can be planted and executed without detection, potentially leading to complete system compromise. The vulnerability's impact is amplified by the fact that it affects core system modules and caching mechanisms, providing attackers with persistent access to the system. Security controls such as input validation, output encoding, and proper sanitization of user-supplied data are completely absent from these administrative interfaces, creating a fundamental security flaw in the application's architecture. The vulnerability demonstrates a lack of proper secure coding practices and insufficient security testing of administrative interfaces, particularly those involving caching mechanisms. Organizations running affected versions should immediately apply patches or upgrades to prevent exploitation, as the vulnerability enables attackers to establish persistent backdoors and execute arbitrary code with the privileges of the web application. The vulnerability also highlights the importance of proper access controls and monitoring of administrative activities, as the attack requires only legitimate administrative credentials to be effective. The injection points across multiple modules indicate a systemic flaw in the application's codebase rather than isolated incidents, suggesting that similar vulnerabilities may exist in other parameter handling sections of the application.