Kiamo PHP Code Execution Vulnerability

A vulnerability allowing authenticated administrative users to execute arbitrary PHP code on the server has been identified in Kiamo versions prior to 8.4. This issue arises from an administrative feature that exposes a script execution capability.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, potentially leading to a full compromise of the application or server environment.

Reproduction

The vulnerability can be reproduced by logging into Kiamo with an administrative account. Once authenticated, navigate to the 'Tools' section in the admin interface, where the 'Script' feature is available. This feature can be used to execute PHP scripts on the server. For example, a reverse shell script can be uploaded and executed, initiating a connection back to the attacker's machine and providing interactive shell access on the server.

Remediation

Users are advised to update to Kiamo version 8.4 or later, where this vulnerability has been fixed. In the meantime, access to administrative interfaces should be restricted and the use of the script execution feature monitored.