BoyunCMS Remote Code Execution Vulnerability via Configuration Injection in install_ok.php

A critical remote code execution vulnerability has been identified in BoyunCMS versions through 1.4.20. The issue resides in the file install/install_ok.php, specifically within the Configuration File Handler component. The vulnerability arises because user-supplied database credentials, particularly the database password, are written to the configuration file without adequate sanitization. This flaw allows attackers to inject malicious PHP code into the database password field during the installation process. The injected code is then executed on subsequent requests, leading to a full server compromise.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where BoyunCMS is installed.

Reproduction

To reproduce this vulnerability, first create a MySQL database container and set up a database named 'aaa'. During the installation of BoyunCMS, send a POST request to install/install_ok.php with the db_pass parameter containing the injected PHP code. Once the code is injected into the application/database.php file, any page that requires this config file can be accessed to execute the injected code, such as by using the phpinfo() function.