HybridAuth Remote Code Execution Vulnerability via Unauthenticated Configuration Injection

A remote code execution vulnerability has been identified in HybridAuth versions 2.0.9 prior to 2.2.2. The issue arises from the installation script 'install.php', which remains accessible after deployment and does not properly sanitize input before writing to the application's 'config.php' file. This flaw allows an unauthenticated attacker to inject arbitrary PHP code into 'config.php', which is executed when the file is loaded. The exploitation overwrites the existing configuration, causing the application to malfunction.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the injected code executed in the context of the web server user.

Reproduction

To reproduce this vulnerability, first verify that the target HybridAuth installation is within the vulnerable version range. The 'install.php' script must be accessible and the 'config.php' file writable. Once these conditions are met, inject PHP code through the 'OPENID_ADAPTER_STATUS' POST parameter in 'install.php'. This injected code will be executed when 'config.php' is loaded. After injecting the code, it can be executed by sending a request to 'config.php' with the same POST parameter that was used for the injection.