Krayin CRM Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Krayin CRM version 2.1.5. This issue allows authenticated users to execute arbitrary code by uploading malicious PHP files through the email composition feature. The uploaded files are stored in a publicly accessible directory without proper validation, allowing the executed payloads to be accessed via their URLs.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, which could lead to a full compromise of the CRM system. An attacker could execute OS commands, upload and execute web shells, access and modify server files, pivot into internal network resources, steal database contents, compromise customer data, and take over the CRM server.

Reproduction

To reproduce this vulnerability, log into Krayin CRM and navigate to the 'Email' section, then select 'Compose'. Upload a PHP file as an attachment and send the email. The file will be stored in a publicly accessible directory, and accessing the file through its URL will execute the uploaded PHP code.

Remediation

Users are advised to update to Krayin CRM version 2.1.6, which addresses this vulnerability. Additionally, implement measures such as restricting allowed file extensions, validating MIME types, storing uploads outside publicly accessible directories, blocking execution of uploaded files via web server rules, and monitoring upload directories for suspicious files.