The wifresti.py contains a command injection vulnerability when calling os.system command. Take a look at the following output where the linux platform was chosen after which the "test; ls/" string was inputted where the "ls /" is it's own command, which is executed on the system as you can see the present directories in root directory / right under the inputted string,.
Please choose your operating system.
1) linux
2) Windows
3) Mac OS
> 1
All wireless networks :
ls: cannot access /etc/NetworkManager/system-connections/: No such file or directory
Insert the network name , or press (a) to see information about all networks.
> test; ls /
###################################### - test; ls / - ######################################
bin boot dev etc home lib media mnt opt proc root run sbin sys tmp usr var
#############################################################################################
All wireless networks :
ls: cannot access /etc/NetworkManager/system-connections/: No such file or directory
Insert the network name , or press (a) to see information about all networks.
>
Please fix the vulnerability by using subprocess to call external programs by properly escaping user input and not os.system.
Hi,
The wifresti.py contains a command injection vulnerability when calling os.system command. Take a look at the following output where the linux platform was chosen after which the "test; ls/" string was inputted where the "ls /" is it's own command, which is executed on the system as you can see the present directories in root directory / right under the inputted string,.
Please fix the vulnerability by using subprocess to call external programs by properly escaping user input and not os.system.