## Vulnerability Key Information ### Product Information - Product: [https://gitee.com/funadmin/funadmin](https://gitee.com/funadmin/funadmin) - PHP Version: 8.2.9 - FunAdmin Version: v7.1.0-rc4 ### Vulnerability Type - Insecure deserialization leading to arbitrary file write ### Vulnerability Details In the `getMember` method of the file `app/common/service/AuthCloudService.php`, the application directly deserializes the value of the `cloud_account` field, which originates from a user-controlled cookie (`$this->cloud_account_key` defaults to `cloud_account`). Deserializing untrusted data insecurely is extremely dangerous and may lead to severe security consequences. ### Related Code ```php // Direct deserialization of user-controlled data in the getMember method public function getMember() { $account = cookie($this->cloud_account_key); return $account ? unserialize(base64_decode($account)) : ''; } ``` ### Backend Endpoints The following backend endpoints directly invoke the `getMember` method: - `/backend/addon/index` - `/backend/sys/upgrade/index` - `/backend/sys/upgrade/check` - `/backend/sys/upgrade/backup` - `/backend/sys/upgrade/install` ### Attack Method An attacker can craft a malicious serialized payload and exploit a POP chain to achieve arbitrary file write. Since FunAdmin relies on the `League` library, this can be leveraged for the attack. ### Example Payload ```php // Payload example TzozOToiTGV2Z3V........ ``` ### Attack Consequences An attacker can exploit this vulnerability to write arbitrary files on the target server, such as `hack.php`, thereby executing arbitrary code. ### PHP Version - PHP Version: 8.2.9 - System: Windows 11 AMD64