Vfront PHP Object Injection Vulnerability in mexcel.php Allowing Remote Code Execution

A PHP Object Injection vulnerability has been identified in Vfront version 0.99.52, specifically within the mexcel.php file. This vulnerability arises from a call to unserialize(base64_decode($_POST['mexcel'])), where the 'mexcel' parameter is user-controlled. The lack of validation and the absence of the allowed_classes option in the unserialize function allow attackers to inject arbitrary PHP objects. Exploitation of this vulnerability could lead to various malicious outcomes, including Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the presence of exploitable classes in the Vfront codebase or its dependencies.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which could lead to Remote Code Execution, SQL Injection, Path Traversal, or Denial of Service, based on the availability of vulnerable classes.

Remediation

Users are advised to remove or restrict access to mexcel.php, and to validate the 'mexcel' input by sanitizing it or using the allowed_classes option in the unserialize function.