RPi-Jukebox-RFID
RPi-Jukebox-RFID copied to clipboard
Published
20 hours ago •
MiczFlor
MiczFlor
🐛 | Command Injection and XSS vulnerabilities reports
Hello,
I would like to report for possible vulnerability.
In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/trackEdit.php
//line 136
if(isset($_GET['folder']) && $_GET['folder'] != "") {
$post['folder'] = $_GET['folder'];
} else {
if(isset($_POST['folder']) && $_POST['folder'] != "") {
$post['folder'] = $_POST['folder'];
}
}
if(isset($_GET['filename']) && $_GET['filename'] != "") {
$post['filename'] = $_GET['filename'];
} else {
if(isset($_POST['filename']) && $_POST['filename'] != "") {
$post['filename'] = $_POST['filename'];
}
}
//line 249
$fileName = Files::buildPath($post['folder'], $post['filename']);
$exec = "mid3v2 -l '" .$fileName ."'" ;
In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/utils/Files.php
public static function buildPath(...$pieces) {
return implode(DIRECTORY_SEPARATOR, $pieces);
}
So the attacker can control the command injection through the filename. The attacker can add ';' and add another command like (echo
In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/trackEdit.php
//line 252
// note: the output of the command is in $res
$lines = explode(PHP_EOL, $res);
foreach($lines as $line) {
$parts = explode("=",$line);
$key = trim(array_shift($parts)); // take the first
$val = trim(implode("=",$parts)); // put the rest back together
if (in_array($key, $trackDat['metaKeys']['mp3'])) {
$trackDat['existingTags'][$key] = $val;
}
}
//line 496
if (isset($trackDat['existingTags']['TCOM']) && trim($trackDat['existingTags']['TCOM']) != "") {
echo trim($trackDat['existingTags']['TCOM']);
}
Finally, I recommend using escapeshellarg function with the $_GET['folder'], $_POST['folder'], $_GET['filename'] and $_POST['filename']
Hi, thanks for pointing that out.
If you want to provide a pull request with the necessary changes it would also be appreciated :)
@MiczFlor
