Slah CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Slah CMS versions through 1.5.0. The issue arises in the session() function within config.php, where user input is not properly sanitized before being passed to the eval() function. This flaw allows unauthenticated remote attackers to execute arbitrary commands on the server, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running in the context of the web server user. This could lead to a complete system compromise.

Reproduction

The vulnerability can be reproduced by sending a POST request to the login endpoint with the email parameter set to 'suportes@slah.com.br' and the senha parameter containing a command to be executed, such as 'system('uname -a ; uptime')'. The lack of input sanitization allows the injected command to be executed on the server.

Remediation

Users are advised to update Slah CMS to the latest patched version available from the vendor. The eval() function should be replaced with a secure alternative, such as a switch-case or a whitelist-based mapping, to prevent user input from being executed as code.