baserCMS OS Command Injection Vulnerability in Core Update Functionality Allowing Remote Code Execution

A critical OS command injection vulnerability has been identified in baserCMS versions prior to 5.2.3. This vulnerability allows authenticated administrators to execute arbitrary OS commands on the server through the core update functionality. The issue arises from improper handling of user input, which is directly passed to the exec() function without adequate validation or escaping. As a result, an attacker with administrative privileges can manipulate the input to execute malicious commands on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server with the same privileges as the web server user.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the '/baser/admin/baser-core/plugins/get_core_update' endpoint. The 'php' parameter can be manipulated to include OS commands, which will then be executed on the server via the exec() function. This exploitation can be done through the normal user interface or by using a tool like curl, as long as the request includes a valid CSRF token.

Remediation

Users are advised to update to baserCMS version 5.2.3 or later, where this vulnerability has been patched.