### Vulnerability Overview This vulnerability involves restricting AJAX requests during the upgrade process and escaping installer configuration write operations. Specifically, it includes: - Restricting the behavior of `ajax.php` during installer actions when `INSTALL_BLOCK` is missing. - Escaping installer configuration values before writing to `config.php`. ### Impact Scope - The vulnerability affects the installation and upgrade processes of the OpenCATS system. - Attackers may perform injection attacks through unescaped configuration values, leading to tampering with system configurations. ### Remediation 1. **Restrict AJAX Requests**: - Add a check for `INSTALL_BLOCK` in the `ajax.php` file to ensure that installation-related AJAX actions are only allowed when the installer is active. 2. **Escape Configuration Values**: - Escape all configuration values before writing them to `config.php` to prevent injection attacks. ### POC Code The following is an example of the patched code: ```php // ajax.php if (isset($installerActive)) { if ($installerActive) { $module = ''; if (strpos($_REQUEST['f'], '!') !== false) { $parameters = explode('!', $_REQUEST['f']); $module = preg_replace('/[^A-Za-z0-9-]/', '', $parameters[0]); } if ($module != 'install') { die(); } } else { header('Content-type: text/xml'); echo "\n"; echo "\n"; echo " -1\n"; echo " Installer is active. Only installer AJAX actions are allowed.\n"; echo "\n"; die(); } } if (strpos($_REQUEST['f'], '!') === false) { $function = preg_replace('/[^A-Za-z0-9-]/', '', $_REQUEST['f']); } // modules/install/ajax/ui.php CATSUtility::changeConfigSetting('DATABASE_USER', var_export($_REQUEST['user'], true), true); CATSUtility::changeConfigSetting('DATABASE_PASS', var_export($_REQUEST['pass'], true), true); CATSUtility::changeConfigSetting('DATABASE_HOST', var_export($_REQUEST['host'], true), true); CATSUtility::changeConfigSetting('DATABASE_NAME', var_export($_REQUEST['name'], true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_PATH', var_export(SmallSendmailPath, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', var_export(SmallSmtpHost, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_HOST', var_export(SmallSmtpHost, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_PORT', var_export(SmallSmtpPort, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_USER', var_export(SmallSmtpUsername, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', var_export(SmallSmtpPassword, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_USER', var_export(SmallSmtpUsername, true), true); CATSUtility::changeConfigSetting('MAIL_SMTP_PASS', var_export(SmallSmtpPassword, true), true); CATSUtility::changeConfigSetting('ANTIVIRUS_PATH', var_export($antivirusPath, true), true); CATSUtility::changeConfigSetting('ANTIVIRUS_PATH', var_export($antivirusPath, true), true); CATSUtility::changeConfigSetting('PDFTEXT_PATH', var_export($pdftotextPath, true), true); CATSUtility::changeConfigSetting('PDFTEXT_PATH', var_export($pdftotextPath, true), true); CATSUtility::changeConfigSetting('HTML2TEXT_PATH', var_export($html2textPath, true), true); CATSUtility::changeConfigSetting('HTML2TEXT_PATH', var_export($html2textPath, true), true); CATSUtility::changeConfigSetting('UNRTF_PATH', var_export($unrtfPath, true), true); CATSUtility::changeConfigSetting('UNRTF_PATH', var_export($unrtfPath, true), true); ``` The above code demonstrates how to restrict AJAX requests and escape configuration values during the installation process to prevent potential security vulnerabilities.