CmsEasy Remote Code Execution Vulnerability in Backend Template Management

A remote code execution vulnerability exists in CmsEasy versions through 7.7.7, specifically within the backend template management component. The issue arises in the 'savetemp_action' function of the 'template_admin.php' library. This vulnerability allows authenticated administrators to inject malicious PHP code by manipulating the 'content' and 'tempdata' arguments. The injected code is saved to the '/data/template/' directory and executed when the 'pageset=1' parameter is accessed, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the web server, with the executed code running under the web server's privileges. This could lead to unauthorized access to files, execution of system commands, and potential compromise of the entire system.

Reproduction

To reproduce this vulnerability, log into the admin panel as an administrator. Navigate to the template management page and select a template to edit. Inject PHP code into the template, such as a payload that writes a web shell to the server. Save the template, which will trigger the code execution. Alternatively, this can be done by sending a POST request to the 'savetemp' action with the injected PHP code in the 'content' and 'tempdata' fields. After saving, access the page with the 'pageset=1' parameter to execute the injected code.

Remediation

It is recommended to sanitize template content by filtering out PHP code tags before saving. Additionally, restrict the 'pageset' parameter to authenticated administrators only, use a template sandbox to prevent arbitrary code execution, and implement a Content Security Policy to limit template functionality.