### Critical Vulnerability Information - **Product Information** - Product Name: FunAdmin - PHP Version: 8.2.9 - FunAdmin Version: v7.1.0-rc4 - Product Link: [https://gitee.com/funadmin/funadmin](https://gitee.com/funadmin/funadmin) - **Vulnerability Type** - Insecure Deserialization Leading to Arbitrary File Write - **Vulnerability Details** - In the `getMember` function of `app/common/service/AuthCloudService.php`, the value of the user-controlled `cloud_account` field in the cookie (default: `cloud_account`) is deserialized directly. - Deserializing untrusted data is highly dangerous and may lead to severe security consequences. - **Affected Backend Interfaces** ```markdown /backend/addon/index /backend/sys/upgrade/index /backend/sys/upgrade/check /backend/sys/upgrade/backup /backend/sys/upgrade/install ``` - **Exploitation Method** - Attackers can craft malicious serialized payloads to exploit PHP Object Injection (POP chain) and achieve arbitrary file write, leveraging the League library used by FunAdmin. - **Malicious File Path** - `D:\phpstudy_pro\WWW\funadmin-v7.1.0-rc4\hack.php` - **Environment Information** - PHP Version: 8.2.9 - Operating System: Windows 10 - Compiler: Visual C++ 2019 ``` These critical details help understand and analyze the security threat posed by the insecure deserialization vulnerability to the FunAdmin system.