ProcessMaker Open Source Code Injection Vulnerability Allowing Arbitrary PHP Code Execution

A code injection vulnerability has been identified in ProcessMaker Open Source versions 2.0.23 prior to 2.5.2, when the default 'neoclassic' skin is active. This vulnerability allows authenticated users to execute arbitrary PHP code by sending crafted POST requests to several endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php. The affected endpoints fail to properly validate user input and directly execute PHP functions like system() with user-supplied parameters, leading to remote code execution. This issue exists in both Linux and Windows installations under default configurations.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to one of the vulnerable endpoints with crafted parameters. The 'action' parameter should be set to a PHP function name, and the 'params' parameter should contain the arguments for that function. The request can be made using a tool like cURL or Postman.

Remediation

Users can update to ProcessMaker version 2.5.2 or later, where this vulnerability has been fixed.