SeaCMS Remote Code Execution Vulnerability in admin_smtp.php

A remote code execution vulnerability has been identified in SeaCMS version 13.3. The issue arises in the admin_smtp.php component, where an authenticated attacker can bypass file editing restrictions to execute arbitrary commands. This exploitation is possible by injecting PHP code into specific parameters, which is then written to a PHP file that can be accessed and executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server with the privileges of the web server user.

Reproduction

To reproduce this vulnerability, log into the SeaCMS admin panel and navigate to the email server settings under the 'admin_smtp.php' component. Intercept the request when submitting the form. The 'smtppsw' parameter can be injected with PHP code, such as a command to execute phpinfo(). Once the request is sent, the injected code will be executed when the 'data/admin/smtp.php' file is accessed.