CVE-2024-37879

The vulnerability in USVN (User-friendly SVN) before version 1.0.12 resides in the /admin/config/save endpoint. The setSiteDatas function directly assigns user-supplied values to INI configuration parameters such as siteTitle, siteIco, and siteLogo without proper sanitization [1]. This lack of input validation allows an authenticated administrator to inject arbitrary key-value pairs into the configuration file.

To exploit this, an attacker must have administrator privileges and access to the configuration save functionality. By crafting malicious input for these fields, an attacker can inject arbitrary INI directives that are later parsed by PHP, potentially leading to arbitrary code execution [1]. The attack vector is low complexity but requires authentication and high privileges, reflected in the CVSS score of 4.8 (Medium).

The impact is significant: an administrator can execute arbitrary code on the server, leading to full compromise of the USVN installation and potentially the underlying system [1]. The injection occurs because the configuration file is parsed using PHP's parse_ini_file, which can execute PHP code if certain directives are set.

The issue was fixed in USVN version 1.0.12. The commit adds filter_var with FILTER_SANITIZE_STRING and FILTER_SANITIZE_FULL_SPECIAL_CHARS to sanitize the affected fields [1]. Users are strongly advised to upgrade to version 1.0.12 or later [2].