PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.
The vulnerability (CWE-95 — Improper Neutralization of Directives in Dynamically Evaluated Code) lies in the fact that the wizard/url.php script retrieves parameter names from the GET request and passes them directly to the PHP eval() function. An attacker can embed arbitrary PHP code in the parameter name, e.g., a base64-encoded payload containing system commands. Upon receiving the request, the web server executes the injected code in its own context without any verification of the requester's identity.
An unauthorized remote attacker can execute arbitrary system commands with the privileges of the web server process, leading to complete takeover of the system hosting the application, including data, configuration, and other resources accessible from the server level.
Immediately remove or isolate PHP-Charts v1.0 from production environments. Apply patches available from the vendor according to references. As a temporary measure, block access to the wizard/url.php file at the firewall or web server configuration level and restrict the ability to execute external commands by the web server process.
PHP-Charts version 1.0 (wizard/url.php file)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X