MetInfo CMS Unauthenticated PHP Code Injection Vulnerability Leading to Remote Code Execution

A PHP code injection vulnerability has been identified in MetInfo CMS versions 7.9, 8.0, and 8.1. This vulnerability allows remote attackers to execute arbitrary code by sending crafted requests that include malicious PHP code. The issue arises from inadequate input sanitization in the execution path, enabling remote code execution and full control over the affected server. The vulnerability is present in the 'weixinreply.class.php' file, specifically within the 'wxAdminLogin()' method, where user input from 'EventKey' and 'FromUserName' XML tags is not properly sanitized before being used in cache operations. Exploitation involves injecting PHP code through the 'EventKey' parameter, which is then executed on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected server.

Reproduction

To reproduce this vulnerability, send a Weixin API request that includes unsanitized input in the 'EventKey' and 'FromUserName' XML tags. The 'EventKey' parameter can be crafted to include Path Traversal sequences, allowing the injection of arbitrary PHP code into the application's cache. Once the malicious code is executed, it can be used to gain unauthorized access to the server.