Zytec Dalian Zhuoyun Technology Central Authentication Service Code Injection Vulnerability Allowing Remote Command Execution

A code injection vulnerability has been identified in Zytec Dalian Zhuoyun Technology Central Authentication Service versions prior to 20251009. The issue resides in the '_empty' function of the 'Widget' controller, specifically within the 'index.php/auth/widget' file. This vulnerability allows remote attackers to manipulate the 'get.layer', 'get.widget', and 'get.action' parameters, leading to unauthorized code execution. The application, developed on the ThinkPHP framework, exposes a critical design flaw that can be exploited to execute arbitrary commands, SQL injections, and read arbitrary files. Additionally, this vulnerability could be leveraged to perform Cross-Site Request Forgery (SSRF) attacks.

Impact

Exploitation of this vulnerability allows for remote code execution, execution of arbitrary SQL commands, Cross-Site Request Forgery (SSRF) attacks, and arbitrary file reading.

Reproduction

To reproduce this vulnerability, send a request to the 'index.php/auth/widget/_empty' endpoint, including the 'get.layer', 'get.widget', and 'get.action' parameters. The '_empty' function will process these parameters and forward them to the 'action' method, where the injected code can be executed. For example, to execute arbitrary SQL commands, use the 'appopenmodelAppVisibleRangeModel' widget with the 'query' method, and for remote command execution, use the 'app\common\lib\Cmd' widget with the 'EXEC_CMD' action.