Logo CTCMS 2.1.2 - APP Configuration Command Execution Vulnerability

CTCMS 2.1.2 - APP Configuration Command Execution Vulnerability

CTCMS 2.1.2 - APP Configuration Command Execution Vulnerability#

BUG_Author: airrudder

Affected version: CTCMS 2.1.2

Vendor: http://www.ctcms.cn/

Software: https://www.chshcms.net/product/show/2.html

Vulnerability File:

  • /ctcms/apps/admin/App.php

  • /ctcms/libs/Ct_App.php

Description

CTCMS (Ctcms video system) version 2.1.2 contains a command execution vulnerability in the backend APP configuration module. An authenticated administrator can modify the APP configuration to inject malicious code, leading to remote code execution.

Vulnerability Details

The vulnerability exists in the APP configuration management functionality. When an administrator saves APP configuration settings, the system writes the configuration data to /ctcms/libs/Ct_App.php without proper sanitization. By intercepting the request and adding a malicious "APP Payment Method" parameter, an attacker can inject PHP code that will be executed when the configuration file is accessed.

Proof of Concept

Step 1: Access APP Configuration

Navigate to the backend APP configuration page:

Article Image

 

Step 2: Inject Malicious Payload

Click the save button and intercept the request. Add a new "APP Payment Method" parameter with the following payload:

 CT_App_Paytype[]=');?><?php system('id');phpinfo();?>
Article Image

Step 3: Trigger the Vulnerability

Access the configuration file at /ctcms/libs/Ct_App.php to execute the injected code:

Article Image

Source Code Analysis

During the security audit, I discovered a dangerous write_file function while searching for fwrite operations:

Article Image

Tracing the usage of this write_file method:

Article Image

The App.php file uses this method to write to the configuration file CTCMSPATH.'libs/Ct_App.php' (i.e., /ctcms/libs/Ct_App.php). The payment method $CT_App_Paytype uses the implode function to join array elements with | as the delimiter:

Article Image

By intercepting the request and adding a malicious "APP Payment Method" parameter:

 CT_App_Paytype[]=');?><?php system('id');phpinfo();?>
Article Image

Checking the /ctcms/libs/Ct_App.php file content shows the malicious code was successfully injected:

Article Image

Accessing /ctcms/libs/Ct_App.php triggers the vulnerability:

Article Image