Use It Flow Remote Code Execution Vulnerability in Admin Moniteur.php Script

A remote code execution vulnerability has been identified in the Use It Flow administration website, specifically in versions prior to 10.0.0. The issue arises in the 'flow/admin/moniteur.php' script, which processes GET requests by taking user input from the 'action' URL parameter. The script performs inadequate validation and executes the input using the 'eval()' function. Although there is a 'method_exists()' check, it only verifies the input before the first parenthesis, allowing attackers to append arbitrary PHP code after a valid method name. Exploitation of this vulnerability enables unauthenticated or minimally authenticated attackers to execute arbitrary PHP code on the server with the same privileges as the web server process.

Impact

Successful exploitation allows for arbitrary PHP code execution on the server, potentially leading to a full system compromise, data theft, unauthorized data modification or deletion, installation of malware or backdoors, or using the compromised server to attack other systems.

Reproduction

To reproduce this vulnerability, send a GET request to 'flow/admin/moniteur.php' with a crafted 'action' parameter. The 'action' parameter must begin with a valid method name from the 'UIFWebService' class, followed by injected PHP code. Include arbitrary 'login' and 'password' parameters to authenticate, as these are used within the method called by the 'action' parameter.

Remediation

Users are advised to update to Use It Flow version 10.0.0 or later, where this vulnerability has been addressed.