Open eldstal opened 1 year ago
An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.
Commit fa0a9fa, version 12.3 and older
/api/log/index.php?lines=0 /dev/null;uptime;ls
The output of the uptime command is shown in the HTTP response.
uptime
An unsanitized GET parameter is passed to shell_exec() at api/log/index.php:8.
shell_exec()
An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the lines parameter to terminate the intended command.
lines
Ensure that $_GET['lines'] is numeric, as is already done in the syslog component.
$_GET['lines']
An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.
Affected versions
Commit fa0a9fa, version 12.3 and older
Steps to reproduce
/api/log/index.php?lines=0 /dev/null;uptime;lsThe output of the
uptimecommand is shown in the HTTP response.Cause
An unsanitized GET parameter is passed to
shell_exec()at api/log/index.php:8.Impact
An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the
linesparameter to terminate the intended command.Proposed Mitigation
Ensure that
$_GET['lines']is numeric, as is already done in the syslog component.