BoyunCMS Deserialization Vulnerability in Installation Handler Allowing Arbitrary File Read

A critical deserialization vulnerability has been identified in BoyunCMS versions through 1.21 on PHP 7. The issue resides in the Installation Handler component, specifically within the file install/install2.php. The vulnerability is triggered by manipulating the db_host argument, which allows for unauthorized deserialization of data. This flaw can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability could lead to unauthorized deserialization of data, potentially allowing attackers to read arbitrary files from the client system. In PHP versions through 7.1, this could be further exploited by using the LOCAL INFILE feature to access sensitive information or trigger other vulnerabilities related to PHP object serialization.

Reproduction

To reproduce this vulnerability, send a POST request to install/install2.php with the db_host parameter set to a malicious MySQL server under the attacker's control. Once connected, exploit the vulnerability by using the LOCAL INFILE feature to read files from the client system, which could include sensitive data or files that trigger deserialization vulnerabilities.