ZendTo Command Injection Vulnerability in File Dropoff Feature Allowing Unauthenticated Remote Code Execution

A command injection vulnerability has been identified in ZendTo versions 5.24-3 through 6.x prior to 6.10-7. The issue resides in the file lib/NSSDropoff.php, where unauthenticated remote attackers can execute arbitrary commands. This is achieved by injecting shell metacharacters into the tmp_name parameter while dropping off a file via a POST /dropoff request.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where ZendTo is installed.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /dropoff endpoint. The request must include a chunkName and a file_1 field. The file_1 field should be formatted as a JSON string containing a name, type, size, and a tmp_name value that includes the injected command. Once the request is processed, the injected command will be executed on the server.

Remediation

Users can upgrade to ZendTo version 6.10-7 or later to address this vulnerability.