CVE-2026-28507

Name of the Vulnerable Software and Affected Versions Idno versions prior to 1.6.4

Description Idno, a social publishing platform, contains a remote code execution vulnerability that can be triggered through a chained sequence of issues. Specifically, a web application administrator can be exploited to write a PHP file to the server's temporary directory via a WordPress import process. Subsequently, any authenticated user can trigger the inclusion of this file through an unsanitized template name parameter, leading to arbitrary operating system command execution as the web server user. The vulnerability involves two main components: arbitrary PHP file write via WordPress import and local file inclusion via an unsanitized template name. The first component, located in Idno/Core/Migration.php within the importImagesFromBodyHTML() function, allows a web application administrator to cause the server to fetch a URL controlled by an attacker during WordPress import processing. This results in writing a PHP file to the server's temp directory. The second component, present in Idno/Pages/Search/User.php and Idno/Core/Bonita/Templates.php, allows any authenticated user to trigger the inclusion of the previously written file by providing an unsanitized template name parameter. The draw() function in Idno/Core/Bonita/Templates.php applies a weak regex that does not prevent path traversal, allowing an attacker to include files outside the intended directory. The vulnerability requires the text plugin to be enabled and allow url fopen to be enabled in PHP.

Recommendations Versions prior to 1.6.4: Upgrade to version 1.6.4 or later to address the vulnerability. Restrict allowed template name characters in draw() to an allowlist such as ^[a-z0-9/ -]+$, rejecting any name containing ../ or beginning with /. Validate the extension of files written by importImagesFromBodyHTML against an allowlist of image extensions (jpg, jpeg, png, gif, webp) before writing to disk. Validate the hostname of image URLs in importImagesFromBodyHTML against the source domain rather than using substr count, which does not distinguish hostname from path. Use tempnam() for temp files in the import flow rather than constructing filenames from user-controlled URL components.