Credits to: Ghost1032, tel
An issue in ZenTao Community Edition v.18.10 and before, ZenTao Biz v8.10 and before, ZenTao Max v.4.10 and before allows an authenticated attacker to execute arbitrary code via a bypass to create ok.txt and achieve backdoor plugin installation.
By default you can’t install plugins in ZenTao PMS. It requires the admin to create a file in specific location. Even if ok.txt exists, you will be asked to recreate it since there’s a check on file create time.
However, in module/upgrade/control.php, an attacker can create an empty file with a fully controlled file path.
In $this->upgrade->moveExtFiles()
In $this->replaceIncludePath($toPath);
file_put_contents($filePath,$content) is executed, thus we can create an empty file.