CVE-2020-26165

Step 1: Payload Preparation: The attacker crafts a malicious PHP object. This object is designed to exploit a known or discoverable class within the qdPM application or its dependencies, leveraging a __wakeup() or __destruct() magic method to execute arbitrary code.

Step 2: Payload Delivery: The attacker identifies the timeReportActions::executeExport function as the entry point. This function likely accepts user-controlled input, such as parameters for generating a time report. The attacker injects the serialized malicious object into the input parameters, typically through a web form or API call.

Step 3: Vulnerability Trigger: The application calls unserialize() on the attacker-controlled input within the executeExport function.

Step 4: Code Execution: The unserialize() function deserializes the malicious object. This process triggers the execution of the object's methods, including the attacker-controlled code, leading to remote code execution (RCE) on the server.

Step 5: Post-Exploitation: The attacker can then use the RCE to execute commands, access sensitive data, or establish persistence on the compromised system.

The vulnerability stems from the insecure use of the unserialize() function in core/apps/qdPM/modules/timeReport/actions/actions.class.php. This function is used to deserialize user-supplied data without proper validation or sanitization. Attackers can craft malicious serialized PHP objects and inject them into the application. When unserialize() processes this malicious data, it can instantiate arbitrary classes and execute their methods, potentially leading to remote code execution (RCE). The root cause is a lack of input validation and sanitization before deserialization, allowing attackers to control the object instantiation process and trigger unintended code execution. This is a classic example of a PHP Object Injection vulnerability.