CVE-2024-35373: 
vulnerability analysis and mitigation

Mocodo Mocodo Online 4.2.6 and below contains a Remote Code Execution vulnerability via /web/rewrite.php. The vulnerability was discovered and disclosed on May 9, 2024, affecting the web-based database schema design tool (Chocapikk Blog, NVD).

The vulnerability exists in the /web/rewrite.php file where user input from $POST['args'] is directly concatenated into a command string without proper sanitization. The application determines the path to the Mocodo executable based on the HTTPREFERER header and then constructs a command line using unsanitized user input. This implementation has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an attacker to execute arbitrary commands on the server hosting the Mocodo application. Due to the lack of input validation and command sanitization, an attacker can achieve remote code execution with the same privileges as the web server process (Chocapikk Blog).

The vulnerability has been fixed in version 4.2.7 of Mocodo. For those unable to upgrade immediately, it is recommended to implement strict input validation and use PHP's escapeshellarg() function to properly escape command arguments. Additionally, implementing proper validation of user inputs before they are used in system commands is crucial (Chocapikk Blog).

The Mocodo development team responded promptly to the vulnerability report on May 9, 2024, acknowledging the security issue and releasing a fix in version 4.2.7 on the same day (Chocapikk Blog).