# Summary of OpenCATS Configuration File Modification Vulnerability ## Vulnerability Overview A configuration file modification vulnerability exists in the `CATSUtility.php` file of OpenCATS. Attackers can modify settings in the `config.php` configuration file by constructing specific GET request parameters. ## Affected Scope - Affected file: `lib/CATSUtility.php` - Affected function: `changeConfigSetting($name, $value)` - Affected configuration items: Any configurable item in the `config.php` file ## Remediation 1. Perform strict input validation before modifying configurations. 2. Restrict the scope of modifiable configuration items. 3. Add permission checks to ensure only administrators can modify configurations. 4. Use a whitelist mechanism to validate configuration item names. ## POC Code ```php public static function changeConfigSetting($name, $value) { /* Make sure we can read and write to config.php. */ if (!is_readable('config.php') || !is_writable('config.php')) { return false; } /* Try to read the existing config file. */ $config = @file('config.php'); if ($config === false) { return false; } $newconfig = array(); foreach ($config as $index => $line) { if (strpos($line, 'define("' . $name . '","') === 0) { $newconfig[] = sprintf("define('%s', '%s');", $name, $value); } else { $newconfig[] = rtrim($line); } } $result = @file_put_contents( 'config.php', implode("\n", $newconfig) . "\n" ); if (!$result) { /* We either completely failed or wrote 0 bytes. */ return false; } return true; } ```