CVE-2022-36262

Vulnerability

An arbitrary PHP code injection vulnerability exists in taocms 3.0.2 within the website settings functionality. The issue arises because the application allows an attacker to modify config.php directly via the settings panel, without sufficient input sanitization. This enables injection of arbitrary PHP code into the configuration file, which is then executed when the application loads the settings. [1]

Exploitation

An attacker needs authenticated admin access to the taocms backend. The attacker navigates to the website settings, identifies a field that is written to config.php (e.g., site name, description, or custom fields), and inserts PHP code such as <?php system($_GET['cmd']); ?>. Upon saving, the code is written into config.php, and subsequent page loads execute the injected code. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server with the privileges of the web server (e.g., www-data). This can lead to full compromise of the taocms instance, including data exfiltration, further server-side attacks, and potential lateral movement within the hosting environment. [1]

Mitigation

The vendor website (taocms.com) appears to be for sale as of the publication date, suggesting the project may be abandoned or unsupported. As of 2022-08-15, no official patch or fixed version has been released. Users of taocms 3.0.2 should consider migrating to an alternative CMS or implementing custom hardening measures such as file permission restrictions on config.php and rigorous input validation on settings fields. [1]