Kaltura Remote PHP Code Execution Vulnerability

A remote code execution vulnerability has been identified in Kaltura versions prior to 11.1.0-2. This issue arises from unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation allows the execution of arbitrary PHP code in the context of the web server process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, executed as the web server user.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'index.php/keditorservices/redirectWidgetCmd' endpoint with a base64-encoded serialized PHP object. This object should be crafted to include a command that will be executed on the server. The Metasploit module available in the Exploit Database can be used to automate this exploitation.

Remediation

Users are advised to upgrade to Kaltura version 11.7.0-2 or later. For versions where no fix is available, it is recommended to firewall off the Kaltura interface.