Code-Projects Chamber of Commerce Membership Management System Command Injection Vulnerability

A command injection vulnerability has been identified in Code-Projects Chamber of Commerce Membership Management System version 1.0. The issue resides in the admin/pageMail.php file, specifically within the fwrite function. The vulnerability allows for remote code execution by injecting arbitrary PHP code through the mailSubject and mailMessage parameters. This exploitation takes advantage of PHP's double-quoted string parsing, which can be used to execute commands via the injected code.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary PHP code on the server, leading to full remote code execution. This could involve writing a web shell to the server, which would then be used to execute commands, access or modify files, and potentially compromise the entire system.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the mail sending page. Fill out the form with a subject and a crafted message that includes PHP code injection using the mailMessage parameter. Once the message is sent, the injected code will be executed on the server.

Remediation

It is recommended to replace the PHP file-based mail queue system with a non-executable format such as JSON or a database-backed queue.