GHSA-25fp-8w8p-mx36

Summary

A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.

Vulnerable Code

File: src/Util/XML.php:100

public static function decodeP7M($file)
{
    $directory = pathinfo($file, PATHINFO_DIRNAME);
    $content = file_get_contents($file);

    $output_file = $directory.'/'.basename($file, '.p7m');

    try {
        if (function_exists('exec')) {
            // VULNERABLE - No input sanitization!
            exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);

The Problem:

• The $file parameter is passed directly into exec() without sanitization
• Although wrapped in double quotes, an attacker can escape them
• The filename comes from uploaded ZIP archives (user-controlled)

Attack Vector

Entry Points:

1. plugins/importFE_ZIP/actions.php:126 (when automatic import is enabled)

   foreach ($files_xml as $xml) {
       if (string_ends_with($xml, '.p7m')) {
           $file = XML::decodeP7M($directory.'/'.$xml);  // $xml from ZIP!
   

2. plugins/importFE/src/FatturaElettronica.php:56 (constructor)

   if (string_ends_with($name, '.p7m')) {
       $file = XML::decodeP7M($this->file);  // $name from user input!
   

Attack Flow:

1. Attacker creates ZIP with malicious filename
2. Upload ZIP via importFE_ZIP plugin
3. Application extracts ZIP and iterates files
4. For .p7m files, decodeP7M() is called
5. Malicious filename is injected into exec() command
6. Arbitrary command executes as web server user

Proof of Concept

⚠️ IMPORTANT NOTE: PHP's ZipArchive::extractTo() splits filenames on / character. Payload must NOT contain / in commands. Use cd directory && command instead of absolute paths.

Step 1: Create...