JVN#94791545: FuelPHP vulnerable to remote code execution

FuelPHP is a PHP web framework for creating web applications. FuelPHP applications contain an issue in the Request_Curl class, which may result in arbitrary code execution.

Impact

When specially crafted input is processed, arbitrary files may be deleted or arbitrary code may be executed on the application server.

Solution

Update to the latest version of the framework and address any applications that use the Request_Curl class
Update the framework to the latest version according to the information provided by the developer.
After updating, search for all controllers in the application that use the Request_Curl class. For each instance found, verify if the response from the cURL call can be trusted. If so, auto formatting can be enabled on the instance manually. If not, validation code needs to be added to validate the response received after executing the request. After succesful validation auto formatting can be enabled and set_response() can be called manually to construct the response in the correct format.

The developer has provided documentation on the safety implications of these settings.

Products Affected

FuelPHP applications that are created using the following versions are affected:

• FuelPHP versions 1.1 through 1.7.1