magnusbilling7
magnusbilling7 copied to clipboard
magnussolution
Vuln in mbilling/index.php/configuration/read?filter= parameter ?
Describe the bug Suspicious activity after some requests + exploiting ? I detected some wrong activities on my developer-env with magnusbilling7.
!! New system user was created, owner of many magnusbilling files was changed. !! in /mbilling/tmp was found suspicious file for mass scam dial-out.
To Reproduce // So difficult. but i can extract logs: 195.xx63 - - [09:39:26] "POST /mbilling/index.php/authentication/login HTTP/1.1" 200 1231 "-" "axios/1.7.7" 195.xx63 - - [09:39:27] "GET /mbilling/index.php/authentication/check HTTP/1.1" 200 2721 "-" "axios/1.7.7" 195.xx63 - - [09:39:27] "GET /mbilling/index.php/configuration/read?filter=%5B%7B%22type%22%3A%22string%22%2C%22field%22%3A%22config_title%22%2C%22value%22%3A%22DIDWW%20APY%20URL%22%2C%22comparison%22%3A%22ct%22%7D%5D&page=1&start=0&limit=25 HTTP/1.1" 200 1353 "-" "axios/1.7.7" 195.xx63 - - [09:39:27] "POST /mbilling/index.php/configuration/save HTTP/1.1" 200 1454 "-" "axios/1.7.7" 195.xx63 - - [09:39:27] "POST /mbilling/index.php/did/save HTTP/1.1" 200 1694 "-" "axios/1.7.7" 195.xx63 - - [09:39:27] "POST /mbilling/tmp/stripe.php?feature=shell HTTP/1.1" 404 1256 "-" "axios/1.7.7" 195.xx63 - - [09:39:32] "POST /mbilling/tmp/stripe.php?feature=shell HTTP/1.1" 404 1256 "-" "axios/1.7.7"
Similar parameter filter= in this option vulnerable for some command injections.
Expected behavior
- Normal work
- running asterisk process from separated user, different from www-server user. =)
Desktop (please complete the following information):
- OS: Debian 12
- Browser axios/any http client
Additional context
