compop.ca 3.5.3 Arbitrary Code Execution Vulnerability (CVE-2024-48445)

A critical vulnerability in compop.ca version 3.5.3 has been disclosed, allowing arbitrary code execution due to an authentication bypass flaw. The issue, tracked as CVE-2024-48445, was published on April 17, 2025, by researcher dmlino via Exploit Database¹. The exploit leverages Unix timestamp manipulation in URL parameters, affecting web applications running the vulnerable version.

Technical Analysis

The vulnerability stems from improper validation of the ts (timestamp) parameter in compop.ca’s authentication mechanism. Attackers can bypass security checks by injecting manipulated Unix timestamps into requests. The exploit requires no prior authentication, making it particularly dangerous for exposed instances. According to the Exploit Database entry¹, the attack follows three steps: identification of vulnerable systems, generation of a current Unix timestamp, and injection of the modified timestamp into the URL parameter.

Proof of Concept (PoC) commands for timestamp generation include Linux’s date +%s and Windows PowerShell’s [int](Get-Date -UFormat %s -Millisecond 0). The vulnerability affects multiple platforms, though specific configurations may influence exploitability. The National Vulnerability Database (NVD) entry² confirms the high-risk nature of this flaw, though no CVSS score has been published as of April 23, 2025.

Impact and Mitigation

Successful exploitation allows attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. The vendor’s website³ currently shows no available patch for version 3.5.3. Immediate mitigation recommendations include restricting access to compop.ca instances via network controls and monitoring for suspicious timestamp manipulation attempts in web requests.

Security discussions on the KSEC Forum⁴ suggest implementing web application firewalls (WAFs) with custom rules to detect and block timestamp tampering. System administrators should also review logs for unusual authentication patterns, particularly requests containing modified ts parameters. The vulnerability’s discovery follows similar web application flaws, including recent RCE issues in DocsGPT 0.12.0⁵ and Apache Commons Text 1.10.0⁶.

Conclusion

The compop.ca 3.5.3 arbitrary code execution vulnerability represents a significant threat to organizations using the affected software. While no patch is currently available, defensive measures can reduce risk exposure. Security teams should prioritize monitoring for exploit attempts and consider temporary workarounds until an official fix is released. This case highlights the ongoing challenges in web application security, particularly around authentication mechanisms and parameter validation.

References

1. [1] “compop.ca 3.5.3 – Arbitrary code Execution,” Exploit Database, Apr. 17, 2025. [Online]. Available: https://www.exploit-db.com/exploits/52257
2. [2] “CVE-2024-48445,” National Vulnerability Database. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-48445
3. [3] “compop.ca,” Vendor Website. [Online]. Available: https://www.compop.ca/
4. [4] “webapps-compop-ca-3-5-3-arbitrary-code-execution,” KSEC Forum. [Online]. Available: https://forum.ksec.co.uk/t/webapps-compop-ca-3-5-3-arbitrary-code-execution/9879
5. [5] “DocsGPT 0.12.0 – RCE (CVE-2025-0868),” Exploit Database, Apr. 09, 2025. [Online]. Available: https://www.exploit-db.com/exploits/52145
6. [6] “Apache Commons Text 1.10.0 – RCE,” Facebook Post, Apr. 18, 2025. [Online]. Available: https://www.facebook.com/ExploitDB/posts/683258044383106