WeBid Remote PHP Code Injection Vulnerability in Converter.php

A remote code injection vulnerability has been identified in WeBid version 1.0.2, specifically within the 'converter.php' script. The issue arises from unsanitized input in the 'to' parameter of a POST request, which is directly written into 'includes/currencies.php'. This vulnerability allows unauthenticated attackers to inject arbitrary PHP code, leading to persistent remote code execution when the modified script is accessed or included by the application.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, with the executed code running in the context of the web server user. This could potentially lead to further exploitation, such as gaining unauthorized access to sensitive data or system resources.

Reproduction

To reproduce this vulnerability, send a POST request to 'converter.php' with the 'action' parameter set to 'convert', the 'from' parameter set to 'USD', and the 'to' parameter containing the PHP code payload. The injected code will be executed when 'includes/currencies.php' is accessed.

Remediation

Users are advised to update to WeBid version 1.2.1, which addresses this vulnerability. The update can be downloaded from the WeBid SourceForge page.