baserCMS Remote Code Execution Vulnerability in Database Restore Function

A remote code execution vulnerability exists in baserCMS versions prior to 5.2.3. The issue arises in the application's database restore function, which allows users to upload a .zip file. The uploaded file is automatically extracted, and any PHP file contained within the archive is included via require_once, without proper validation or restrictions on the filename. This flaw enables an attacker to craft a malicious PHP file within the zip archive, which, when executed, could lead to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where baserCMS is installed.

Reproduction

To reproduce this vulnerability, upload a .zip file containing a crafted PHP file into the baserCMS database restore function. The .zip file will be extracted, and the PHP file will be included using require_once, without any filename validation. Once the file is included, the PHP code can be executed, leading to remote code execution on the server.

Remediation

Users are advised to update to baserCMS version 5.2.3 or later.