BoidCMS Local File Inclusion Vulnerability Leading to Remote Code Execution

A critical local file inclusion (LFI) vulnerability has been identified in BoidCMS versions prior to 2.1.3. This vulnerability allows authenticated administrators to exploit the tpl parameter, leading to remote code execution (RCE). The issue arises because the application fails to properly sanitize the tpl parameter during page creation and updates, allowing path traversal sequences to be injected. This enables the inclusion of arbitrary files from the server's media directory. When combined with the file upload functionality, this vulnerability can be exploited to execute embedded PHP code with web server privileges.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server, with the executed code running under the web server's privileges.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a file containing PHP code disguised as an image (such as a JPEG) through the admin media panel. After the file is uploaded, the administrator can create a new page and inject a path traversal sequence in the tpl parameter to include the uploaded file from the media directory. Once the page is accessed, the PHP code is executed on the server.

Remediation

Users are advised to update to BoidCMS version 2.1.3 or later, where this vulnerability has been fixed.