Vasion Print Dangerous PHP Dead Code Enables Remote Code Execution

A remote code execution vulnerability exists in Vasion Print Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923. This vulnerability arises from dangerous PHP dead code in multiple Docker-hosted PHP instances. An unauthenticated script, '/var/www/app/resetroot.php', can be executed to perform a SQL update that resets the database administrator's username and password. Additionally, commented-out code in another PHP file could be re-enabled to unserialize session data, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Vasion Print is hosted, leading to a complete system compromise.

Reproduction

The vulnerability can be reproduced by sending a request to the '/var/www/app/resetroot.php' endpoint in a Docker container running Vasion Print. This request can be made without authentication, and once executed, it will reset the MySQL root password, allowing full control over the database. If the deserialization vulnerability in 'oses.php' is also exploited, it could lead to remote code execution.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 22.0.843 and Application version 20.0.1923, both of which include the necessary fix. Instructions for updating the Vasion Windows Client are also available.