Closed noobpk closed 3 years ago
Thank you for this notice..
Since we are no antivirus and we cannot validate every line someone enters in a theme or module. This will work in every environment where it is possible to upload own PHP code. the server environment must prevent the spawning of listeners and such.
Since you are admin when you are able to upload this, you can upload anything. running anything within the server should be prevented within the server configuration and not within client software. configuration of the prevention of the use of the exec method is in the php.ini
I have used many cms and found that uploading modules like this can be handled in the code of the application. A simple way to handle this is by reading the files and grep the code execution functions like exec, shell_exec, eval, ... if exists we can cancel the following steps.
A similar case is on CMS Moodle cve-2019-11631
I think you should reconsider and handle this issue. They can be resolved.
Description: Admin can install theme packages that have inserted functions that allow remote code execution.
Steps to Reproduction:
return to the theme page
. and it always executes every time admin accesses module choose themeImage:
PoC : https://youtu.be/p5G9e0eNF_4