Xinhu Rainrock RockOA PHP Configuration Modification Vulnerability

A vulnerability exists in the Xinhu Rainrock RockOA version 2.7.0 within the 'phpinisaveAction' method of 'coginiAction.php'. This issue allows authenticated users to remotely alter PHP configuration files. The vulnerability arises because the system permits users to change PHP settings through POST requests without adequate authorization, using 'file_put_contents()' to write these changes directly to the PHP.ini file. This flaw could be exploited to escalate privileges and modify essential PHP settings.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of PHP configuration files, allowing for privilege escalation, resource exhaustion, security bypasses, and potential system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to 'index.php' with the 'a' parameter set to 'phpinisave', the 'm' parameter set to 'cogini', and the 'd' parameter set to 'system'. The request must include the path to the PHP.ini file and the desired configuration changes, such as increasing memory limits or disabling security functions. This vulnerability can be exploited in conjunction with the 'phpinfo()' method to gather information about the PHP environment, including the path to the PHP.ini file and current configuration values.