ORSEE Remote Code Execution Vulnerability in Participant Profile Processing

A remote code execution vulnerability has been identified in ORSEE (Online Recruitment System for Economic Experiments) version 3.1.0. This issue arises in the participant profile field processing subsystem, where certain field configurations can be manipulated to include values prefixed with 'func:'. These values are then passed directly into an eval() function call in 'tagsets/participant.php' and 'tagsets/options.php', allowing authenticated users to execute arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows authenticated users with administrative privileges to execute arbitrary PHP code on the server. This could lead to a full compromise of the application, potential access to sensitive data such as credentials and database information, and in some cases, a complete takeover of the server depending on the privileges of the web server process.

Remediation

To address this vulnerability, it is recommended to remove the use of eval() for processing field values and replace it with a safe parser or a whitelist-based function handler. Additionally, all field inputs should be strictly validated and sanitized to disallow arbitrary function execution. Access controls should be implemented to restrict sensitive configuration changes, along with logging and monitoring for admin actions.