TazmiDev/CVE-2026-36239

# CVE-2026-36239 CVE-2026-36239: Authenticated RCE in PbootCMS v3.2.12 backend (sitecopyright) Vulnerability Overview: A critical remote code execution (RCE) vulnerability has been identified in the `sitecopyright` functionality of the PbootCMS backend administration interface. Specifically, untrusted input submitted via the “Footer Information” field is insufficiently sanitized before being processed and rendered on frontend pages. An authenticated administrator—whose session may be compromised or who may be socially engineered—can inadvertently introduce malicious PHP code. Upon frontend page rendering, this code is executed in the server’s runtime context, enabling full system compromise. Vulnerability Details: - Vulnerable Component: `decode_string()` function in `/apps/home/controller/ParserController.php` (line 261) - Root Cause: Insecure deserialization and output handling—specifically, sequential application of `stripcslashes()` followed by `htmlspecialchars_decode()` effectively reverses HTML entity encoding and escape sequences, restoring executable PHP code that is then directly echoed to the template output without validation or sandboxing. - Affected Context: Any frontend page utilizing the `{pboot:sitecopyright}` template tag. Exploitation Workflow: 1. Attacker gains authenticated access to the administrative backend (e.g., via credential reuse, session hijacking, or phishing). 2. Navigates to the site configuration page (`/admin.php?p=/Site/mod`). 3. Injects malicious PHP payload into the “Footer Information” field—for example: `');?>` 4. Submits and saves the configuration. 5. Triggers template cache clearance (`/admin.php?p=/Index/clearCache`) to ensure updated content is parsed. 6. Visits any frontend page containing `{pboot:sitecopyright}`, causing execution of the injected payload and writing a web shell (`shell.php`) to the web root directory. Risk Assessment: This vulnerability poses severe security implications, including but not limited to: - Arbitrary remote code execution with the privileges of the web server process; - Full compromise of the hosting environment, including lateral movement and privilege escalation; - Unauthorized access to backend databases, configuration files, and other sensitive assets; - Deployment of persistent backdoors and establishment of long-term command-and-control channels. Affected Versions: - Confirmed in PbootCMS v3.2.12. - All versions incorporating the `decode_string()` function for processing `sitecopyright` content are potentially affected, particularly where input from administrative interfaces is passed unfiltered through this routine.