Daylight Studio FuelCMS Authenticated Remote Code Execution Vulnerability

An authenticated remote code execution vulnerability has been identified in Daylight Studio FuelCMS version 1.5.2. The issue arises in the Installer controller, specifically within the add_git_submodule function. This vulnerability allows any authenticated user on a development instance of FuelCMS to execute arbitrary code by adding malicious Git submodules from external repositories, such as GitHub, and then accessing the injected files through the web server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FuelCMS is installed.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the FuelCMS development server's Installer controller, specifically the add_git_submodule function. The request must include a Git repository URL formatted for Git over SSH. If the server is configured correctly and the request is successful, the specified repository will be cloned as a submodule. Once added, any PHP files in the repository can be accessed through a specific URL path, allowing for code execution.