EyouCMS Deserialization Vulnerability in arcpagelist Handler

A deserialization vulnerability has been identified in EyouCMS versions through 1.7.7. The issue arises in the arcpagelist functionality, where the application improperly uses the native PHP unserialize() function to deserialize data from the ey_arcmulti database table. This lack of validation allows for PHP object injection, which can be exploited using known gadget chains from ThinkPHP 5.0.24, potentially leading to remote code execution or arbitrary file deletion. Exploitation requires the ability to write to the database, either through SQL injection or other means.

Impact

Exploitation of this vulnerability allows for PHP object injection, with the possibility of remote code execution or arbitrary file deletion, depending on the deserialization payload used.

Reproduction

To reproduce this vulnerability, first gain access to write to the ey_arcmulti.attstr database column. This can be done through SQL injection, direct database access, or by using admin privileges to modify template files that include the eyou:arclist tag. Once the payload is inserted, send an AJAX request to the API endpoint 'index.php?m=api&c=Ajax&a=arcpagelist', including the tagid and tagidmd5 parameters that correspond to the maliciously crafted data. The vulnerable unserialize() function will then be executed, processing the injected payload and triggering the associated ThinkPHP gadget chain.

Remediation

The vulnerability can be addressed by using the safe_unserialize() function, which is available in the application/function.php file. Alternatively, the allowed_classes parameter can be utilized with the unserialize() function to prevent the instantiation of malicious objects. For versions of PHP that support it, switching to JSON for data serialization and deserialization is recommended.