CampCodes Complete POS Management and Inventory System Environment Variable Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in CampCodes Complete POS Management and Inventory System versions through 4.0.6. The issue arises from the application's Environment Variable Handler, specifically within the SettingsController.php file. The vulnerability allows authenticated attackers to inject arbitrary environment variables into the application's .env file by exploiting insufficient input sanitization in the backend API that manages system configurations. This injection can override critical system variables, leading to unauthorized execution of commands on the server with web server privileges, potentially causing a complete system compromise.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where the application is hosted, with the executed commands running under the privileges of the web server.

Reproduction

To reproduce this vulnerability, authenticate as an administrator and send a POST request to the Twilio configuration update endpoint. Include a JSON payload that injects newline characters to disrupt the variable definition and introduce a malicious command into the DUMP_PATH variable. After injecting the payload, trigger the 'Generate Backup' function, which will execute the injected command via the PHP exec() function, confirming the successful exploitation of the vulnerability.