ProcessMaker Unrestricted File Upload Vulnerability Leading to Arbitrary PHP Code Execution

A vulnerability allowing unrestricted file uploads has been identified in ProcessMaker versions prior to 3.5.4. This issue arises from improper handling of uploaded plugin archives, which enables an attacker with administrative privileges to upload a malicious .tar file containing arbitrary PHP code. Once the plugin is installed, the injected code is executed on the server with the privileges of the web server user. This vulnerability can be combined with a privilege escalation flaw in the user profile page to achieve full remote code execution from a low-privileged account.

Impact

Exploitation of this vulnerability allows authenticated remote attackers to execute arbitrary PHP code on the server, with the same privileges as the web server user. This can lead to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, an attacker must have administrative access to ProcessMaker. After logging in, the attacker can upload a malicious plugin through the ProcessMaker plugin management interface. The uploaded plugin must be crafted to include PHP code that will be executed when the plugin is activated. Once the plugin is installed, the injected code will be executed on the server, resulting in arbitrary code execution.

Remediation

Users are advised to update ProcessMaker to version 3.5.4 or later, where this vulnerability has been addressed.