DouPHP ZIP File Handler Unrestricted Upload Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability has been identified in DouPHP versions through 1.9. The issue resides in the ZIP File Handler component, specifically within the file '/admin/file.php'. The vulnerability arises from inadequate validation of the 'sql_filename' parameter, allowing for unrestricted file uploads. Exploitation involves uploading a ZIP file containing a malicious PHP script, which can then be executed on the server.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server, with the potential to gain full control over the web application and the underlying operating system.

Reproduction

To reproduce this vulnerability, first upload a ZIP file containing a PHP web shell through the 'admin/file.php' interface. After the ZIP file is uploaded, navigate to 'admin/backup.php' and use the 'sql_filename' parameter to extract the ZIP file. The extraction process will place the PHP shell into the web root directory, where it can be executed.

Remediation

It is recommended to validate file paths and inputs in 'admin/backup.php' to prevent directory traversal attacks. Implement secure ZIP extraction methods that ensure files are only extracted within designated directories. Additionally, enhance file upload validations in 'admin/file.php' to block dangerous file types, such as ZIPs containing PHP scripts.