InstantCMS Remote PHP Code Execution Vulnerability

A remote code execution vulnerability has been identified in InstantCMS versions through 1.6. This issue arises from the unsafe use of the eval() function in the search view handler, where user-supplied input via the look parameter is executed as PHP code without proper sanitization. Attackers can exploit this vulnerability by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, leading to arbitrary PHP code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, with the executed code running in the context of the web server user.

Reproduction

To reproduce this vulnerability, send a GET request to the InstantCMS search view with the look parameter set to a value that will be executed by eval(). Include a base64-encoded payload in the Cmd header that, when decoded, executes the desired PHP code. This can be done using a simple payload generator that converts the PHP code into a format suitable for injection.