PHP-Charts Code Execution Vulnerability

A PHP code execution vulnerability has been identified in PHP-Charts version 1.0, specifically within the 'wizard/url.php' file. This vulnerability arises because user-supplied GET parameter names are directly passed to the 'eval()' function without proper sanitization. As a result, a remote attacker can inject arbitrary PHP code, leading to command execution under the context of the web server. The vulnerability allows unauthenticated attackers to execute system-level commands by embedding base64-encoded payloads in the parameter names, potentially compromising the host system.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, with the executed commands running under the web server's user context. This could lead to a full compromise of the host system.

Reproduction

To reproduce this vulnerability, send a GET request to 'wizard/url.php' with a crafted parameter name that includes base64-encoded PHP code. The 'eval()' function will execute the injected code, allowing for command execution on the server.