123Solar is a lightweight set of PHP/JS files that makes a web logger to monitor your photovoltaic inverter(s). It just need a web server and PHP, no databases are even needed. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices.
123Solar 1.8.4.5 contains a PHP Code Injection vulnerability. Attackers can inject arbitrary PHP commands into the PASSOx parameter, which can then be executed by other PHP scripts that include config/config_invt1.php.
Details
In the /admin/admin_invt2.php script, the value of the PASSOx parameter is directly written into the config/config_invt1.php file without proper filtering or escaping.
This allows attackers to insert PHP code snippets into the PASSOx parameter, which will then be written to the configuration file and executed by other scripts that include this configuration file.
Hebing123
commented
1 month ago
Summary
123Solar 1.8.4.5 contains a PHP Code Injection vulnerability. Attackers can inject arbitrary PHP commands into the
PASSOxparameter, which can then be executed by other PHP scripts that includeconfig/config_invt1.php.Details
In the
This allows attackers to insert PHP code snippets into the PASSOx parameter, which will then be written to the configuration file and executed by other scripts that include this configuration file.
/admin/admin_invt2.phpscript, the value of the PASSOx parameter is directly written into theconfig/config_invt1.phpfile without proper filtering or escaping.POC
Then visit http://your-ip/admin/admin_invt.php