CTCMS Content Management System Code Injection Vulnerability in Backend System Configuration Module

A code injection vulnerability has been identified in CTCMS Content Management System versions through 2.1.2. The issue resides in the Backend System Configuration Module, specifically within the library '/ctcms/libs/Ct_Config.php'. The vulnerability allows authenticated administrators to inject malicious PHP code by manipulating the 'Cj_Add' or 'Cj_Edit' parameters. Once injected, the code is executed when the configuration file is accessed, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the injected code executed in the context of the web server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must access the backend system configuration page. After navigating to the page, intercept the request and add a malicious payload to the 'Secondary Update Rules' parameter. Once the request is submitted, the injected code will be executed when the '/ctcms/libs/Ct_Config.php' file is accessed.