mobro-raspberrypi icon indicating copy to clipboard operation
mobro-raspberrypi copied to clipboard

Published 20 hours ago verified publisher icon ModBros

Security vulnerability: OS command injection in web interface

Open eldstal opened this issue 1 year ago • 0 comments

An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.

Affected versions

Commit fa0a9fa, version 12.3 and older

Steps to reproduce

  1. Visit /api/log/index.php?lines=0 /dev/null;uptime;ls

The output of the uptime command is shown in the HTTP response.

Screenshot of the uptime output

Cause

An unsanitized GET parameter is passed to shell_exec() at api/log/index.php:8.

Impact

An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the lines parameter to terminate the intended command.

Proposed Mitigation

Ensure that $_GET['lines'] is numeric, as is already done in the syslog component.

eldstal avatar Mar 28 '23 19:03 eldstal