Goodoneuz Pay-uz Laravel Package Remote Code Execution Vulnerability

A critical remote code execution vulnerability has been identified in the Goodoneuz Pay-uz Laravel package, specifically in versions through 2.2.24. The issue arises in the '/payment/api/editable/update' endpoint, which is accessible without authentication. This endpoint allows unauthenticated attackers to overwrite existing PHP payment hook files. The vulnerability is exploited by sending user-controlled input that is directly written into executable PHP files using 'file_put_contents()'. These modified files are then executed via 'require()' during regular payment processing, leading to remote code execution under the default application behavior. Notably, the payment secret token referenced by the vendor does not mitigate this vulnerability.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, send a request to the '/payment/api/editable/update' endpoint without authentication. Include the 'file_name' parameter with the name of the PHP file to be overwritten and the 'content' parameter with the PHP code to be executed. The overwritten file will be executed during the payment processing workflow, resulting in remote code execution.