Pachno Deserialization Vulnerability Leading to Remote Code Execution

A deserialization vulnerability has been identified in Pachno version 1.0.6, allowing unauthenticated attackers to execute arbitrary code. This issue arises because the application unserializes data from cache files during the initial framework bootstrap, before any authentication or routing is applied. The cache files, which are created with world-writable permissions and predictable names, can be manipulated by attackers to inject malicious PHP object payloads. Once injected, these payloads are executed on the server during the next HTTP request.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Pachno 1.0.6 is installed.

Reproduction

To reproduce this vulnerability, write a malicious serialized PHP object payload and save it to a cache file in the application's cache directory. Ensure the file has a predictable name and the correct permissions to allow writing. The injected payload will be unserialized during the next HTTP request, leading to arbitrary code execution.