Source: cve@mitre.org
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
qdPM versions 9.1 and prior are vulnerable to a critical PHP Object Injection vulnerability. Attackers can leverage this flaw to execute arbitrary code on the server by crafting malicious serialized objects, potentially leading to complete system compromise and data exfiltration or ransomware deployment.
Step 1: Payload Preparation: The attacker crafts a malicious serialized PHP object. This object is designed to exploit the unserialize() function and execute arbitrary PHP code when deserialized. This often involves creating objects with specific properties that, when unserialized, trigger the execution of system commands or other malicious actions.
Step 2: Payload Delivery: The attacker submits the crafted serialized object to the vulnerable timeReportActions::executeExport function. This is typically achieved through a specially crafted HTTP request, potentially exploiting a file upload or data import functionality.
Step 3: Vulnerability Trigger: The executeExport function calls unserialize() on the attacker-supplied data. This triggers the deserialization process.
Step 4: Code Execution: During deserialization, the malicious object's methods or properties are invoked, leading to the execution of the attacker's injected PHP code. This could involve executing system commands, writing to files, or establishing a reverse shell.
Step 5: Post-Exploitation: The attacker gains control of the server, potentially leading to data exfiltration, privilege escalation, or further compromise.
The vulnerability stems from the insecure use of the unserialize() function in core/apps/qdPM/modules/timeReport/actions/actions.class.php. This function is used to deserialize user-controlled data, specifically within the timeReportActions::executeExport function. By crafting a malicious serialized object containing specially crafted PHP objects, an attacker can manipulate the application's internal state. When unserialize() processes this malicious object, it can trigger the execution of arbitrary code, such as system commands, due to the object's properties and methods being invoked during the deserialization process. The root cause is the lack of input validation and sanitization before the unserialize() call, allowing an attacker to inject malicious code into the application's execution flow. This is a classic example of insecure deserialization leading to remote code execution (RCE).
While no specific APT groups are definitively linked to the exploitation of this CVE, the nature of the vulnerability makes it attractive to a wide range of attackers, including those seeking to deploy ransomware or steal sensitive data. The lack of specific attribution does not diminish the risk. CISA KEV: Not Listed
Monitor HTTP request logs for suspicious POST requests containing serialized data, especially those targeting the timeReport module and the executeExport function.
Analyze web server access logs for unusual activity, such as the execution of system commands or the creation of unexpected files.
Implement file integrity monitoring to detect unauthorized changes to critical system files.
Network traffic analysis: Look for unusual network connections originating from the server, especially outbound connections to suspicious IP addresses or domains.
Examine PHP error logs for unserialize() errors or warnings, which may indicate exploitation attempts.
Upgrade to qdPM version 9.2 or later, which should contain a fix for this vulnerability.
Implement input validation and sanitization to prevent the injection of malicious serialized objects. This includes validating the data type, size, and format of user-supplied input before passing it to unserialize().
Avoid using unserialize() with untrusted data whenever possible. If unserialize() is necessary, use a safe alternative or implement a whitelist of allowed classes to prevent the execution of arbitrary code.
Implement a Web Application Firewall (WAF) to filter malicious requests and block exploitation attempts.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Review and harden the PHP configuration, disabling dangerous functions and features.
Implement least privilege principles for all user accounts and services.