[Security] Path Traversal to Remote Code Execution Vulnerability in /web/settings/saveconfig.php
#2850
Comments
Yeeb1
changed the title
/web/settings/saveconfig.php/web/settings/saveconfig.php
|
I noticed that in previous disclosures (e.g., #2816) there were discussions around responsible disclosure. However, this repository still does not have a security policy set up (guidance here). Additionally, the contact addresses in the For these reasons, I have refrained from disclosing all the details that allow for full code execution. If necessary, I can provide further details and the Python proof-of-concept (PoC). |
|
Thanks for the hint. I implemented a fix in #2851. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The endpoint
/web/settings/saveconfig.phpprocesses POST requests in a way that does not adequately protect against path traversal, particularly in the context of dynamically constructing command lines for execution. The vulnerability arises from the fact that user inputs ($_POST['etprovider'],$_POST['socmodul'], and$_POST['socmodul1']) are directly embedded intoexec()calls without sufficient validation to ensure that the input does not lead outside of the intended directories.While
escapeshellcmd()is already employed to sanitize these inputs, it is primarily intended to escape shell metacharacters and does not prevent path traversal sequences such as../../../../. This allows for the creation of inputs that effectively bypass the intended use ofescapeshellcmd()and manipulate the application to execute arbitrary commands or access files outside the web root directory.The text was updated successfully, but these errors were encountered: