Skip to main content

CMSUno 1.6.2 - Remote Code Execution [Authenticated] (config.php) | CVE-2020-25538


Vendor:  https://github.com/boiteasite/cmsuno/
Version: 1.6.2
Vulnerability: Code Injection
CVE: CVE-2020-25538 
Exploit-DB: https://www.exploit-db.com/exploits/48996

Analysis

When I read the source code of the "/uno/central.php" file I realized the web application operates the language functionality with a file named "config.php". So application includes this file in some pages. Below the initial content of the config.php file.

If I am able to change the  content of the "config.php" file, this file will be imported in the "uno.php" page and I will be able to run PHP code on the server. config.php file will be imported like below in uno.php file.

So good. But how am I able to do changes in "config.php" file. Let's look at the source code of the "/uno/central.php" file.