Intermesh GroupOffice Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Intermesh GroupOffice versions prior to 25.0.47 and 6.8.136. This issue allows authenticated users with custom field management privileges to execute arbitrary PHP code on the server. The vulnerability arises in the 'FunctionField' custom field type, where the 'dbToApi()' method improperly uses PHP's 'eval()' function to execute user-controlled input, creating a code injection risk.

Impact

Exploitation of this vulnerability could lead to complete server compromise, allowing attackers to execute arbitrary system commands, access sensitive files and database contents, disrupt services by modifying or deleting critical system files, and potentially escalate privileges depending on the web server configuration.

Reproduction

To reproduce this vulnerability, an authenticated user with 'mayChangeCustomFields' permission can create a custom field of type 'FunctionField' and include a malicious payload in the 'function' option. Once the field is created, the payload is executed on the server when the custom field is accessed, demonstrating the arbitrary code execution.

Remediation

Users are advised to update to GroupOffice versions 25.0.47 or 6.8.136. Additionally, the 'FunctionField' type should be disabled, and permissions for 'mayChangeCustomFields' should be reviewed and audited.