e107 CMS Insecure Deserialization Vulnerability in Installation Script Allowing Remote Code Execution

A vulnerability allowing insecure deserialization has been identified in e107 CMS versions through 2.3.3. The issue arises in the installation script (install.php), where user-controlled input in the previous_steps POST parameter is processed using unserialize(base64_decode()) without proper validation. This flaw enables attackers to create malicious serialized data, potentially leading to remote code execution, arbitrary file operations, or denial of service, depending on the availability of exploitable PHP object gadgets within the application or its dependencies.

Impact

Exploitation of this vulnerability could result in PHP object injection, allowing for remote code execution, manipulation of data, or other malicious activities, based on the presence of vulnerable classes in the e107 codebase or its dependencies.

Reproduction

To reproduce this vulnerability, send a POST request to the install.php script with a base64-encoded serialized string in the previous_steps parameter. The crafted serialized data can exploit the vulnerability by leveraging available PHP object gadgets to achieve the desired malicious outcome.

Remediation

After completing the CMS installation, remove the install.php file to eliminate the vulnerability. Additionally, restrict access to install.php using server configuration options, such as .htaccess.