Funadmin Deserialization Vulnerability in AuthCloudService Backend Endpoint

A deserialization vulnerability has been identified in Funadmin versions up to 7.1.0-rc4. The issue arises in the AuthCloudService.php file, specifically within the getMember function. The vulnerability is triggered by manipulating the cloud_account argument, which leads to unsafe deserialization of user-controlled data from cookies. This flaw can be exploited remotely, with a public exploit available.

Impact

Exploitation of this vulnerability allows for unauthorized deserialization of data, which can be leveraged to write arbitrary files. This file write capability could potentially be used to execute malicious code, especially considering the application's dependency on the League library, which could be exploited to achieve remote code execution.

Reproduction

To reproduce this vulnerability, send a request to a backend endpoint that invokes the getMember() method, such as /backend/addon/index or /backend/sys/upgrade/index. Include a crafted cloud_account value in the cookies to exploit the deserialization vulnerability. The deserialized object can be manipulated to write a file to the server, which could be used to execute code if the file is interpreted as a PHP script.