iCMS Remote Code Execution Vulnerability in ConfigAdmincp.php POST Parameter Handler

A critical remote code execution vulnerability has been identified in iCMS versions through 8.0.0. The issue resides in the 'save' function of the 'ConfigAdmincp' class within the 'app/config/ConfigAdmincp.php' file. This vulnerability allows authenticated administrators to execute arbitrary PHP functions by manipulating the 'saveCall' POST parameter. The vulnerability can be exploited remotely, but requires valid admin credentials and a CSRF token from the current session.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, potentially leading to a full compromise of the web application and server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must send a POST request to '/admincp.php/config/system' with a valid CSRF token and 'iCMS_ADMINCP' session cookie. The 'config' parameter can be used to specify the command or data, while the 'saveCall' parameter is used to indicate the PHP function to be executed. Once the request is sent, the specified function will be called with the provided data, resulting in code execution on the server.

Remediation

It is recommended to implement a whitelist of allowed callback functions and to validate user input before using it in function calls.