PHP-Fusion Remote Code Execution Vulnerability in Panels.php Administration Endpoint

A remote code execution vulnerability has been identified in PHP-Fusion version 9.03.50. The issue arises in the 'add_panel_form()' function within the panels.php administration file. The vulnerability allows attackers to execute arbitrary code by sending crafted POST data to the panels.php administration endpoint. The exploitation leverages an eval() function that processes unsanitized POST data, enabling the execution of malicious code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where PHP-Fusion is running.

Reproduction

To reproduce this vulnerability, send a POST request to the panels.php administration endpoint with the following parameters: 'fusion_token', 'form_id', 'panel_id', 'panel_name', 'panel_filename', 'panel_side', 'panel_restriction', 'panel_url_list', 'panel_display', 'panel_content' (insert the code execution payload here), 'panel_access', 'panel_languages', and 'panel_save'. The 'panel_content' parameter is the vector for code execution, as the 'add_panel_form()' function evaluates its content using the eval() function.