Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃悰 | Command Injection and XSS vulnerabilities reports #1859

Closed
enferas opened this issue Jul 18, 2022 · 3 comments 路 Fixed by #1862
Closed

馃悰 | Command Injection and XSS vulnerabilities reports #1859

enferas opened this issue Jul 18, 2022 · 3 comments 路 Fixed by #1862
Labels
bug needs triage php

Comments

@enferas
Copy link
Contributor

enferas commented Jul 18, 2022

Hello,

I would like to report for possible vulnerability.

In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/trackEdit.php

//line 136
if(isset($_GET['folder']) && $_GET['folder'] != "") { 
    $post['folder'] = $_GET['folder'];
} else {
    if(isset($_POST['folder']) && $_POST['folder'] != "") { 
        $post['folder'] = $_POST['folder'];
    }
}
if(isset($_GET['filename']) && $_GET['filename'] != "") { 
    $post['filename'] = $_GET['filename'];
} else {
    if(isset($_POST['filename']) && $_POST['filename'] != "") { 
        $post['filename'] = $_POST['filename'];
    }
}
//line 249
$fileName = Files::buildPath($post['folder'], $post['filename']);
$exec = "mid3v2 -l '" .$fileName ."'" ;

In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/utils/Files.php

public static function buildPath(...$pieces) {
        return implode(DIRECTORY_SEPARATOR, $pieces);
    }

So the attacker can control the command injection through the filename.
The attacker can add ';' and add another command like (echo <script>alert(document.cookie)<\script>.
The output pf the command will be printed through this path.

In file https://github.com/MiczFlor/RPi-Jukebox-RFID/blob/develop/htdocs/trackEdit.php

//line 252
// note: the output of the command is in $res
$lines = explode(PHP_EOL, $res);
foreach($lines as $line) {
    $parts = explode("=",$line);
    $key = trim(array_shift($parts)); // take the first
    $val = trim(implode("=",$parts)); // put the rest back together
    if (in_array($key, $trackDat['metaKeys']['mp3'])) {
        $trackDat['existingTags'][$key] = $val;
    }
}
//line 496
if (isset($trackDat['existingTags']['TCOM']) && trim($trackDat['existingTags']['TCOM']) != "") {
              echo trim($trackDat['existingTags']['TCOM']);
}

Finally, I recommend using escapeshellarg function with the $_GET['folder'], $_POST['folder'], $_GET['filename'] and $_POST['filename']
@s-martin s-martin added the php label Jul 21, 2022
@s-martin
Copy link
Collaborator

Hi, thanks for pointing that out.

If you want to provide a pull request with the necessary changes it would also be appreciated :)

@MiczFlor

@enferas enferas mentioned this issue Jul 23, 2022
Merged
@enferas
Copy link
Contributor Author

enferas commented Jul 23, 2022

Thank you for your response.
I sent the pull request.

@s-martin s-martin linked a pull request Jul 24, 2022 that will close this issue
Fix Command Injection and XSS vulnerabilities in trackEdit.php #1862
Merged
@enferas
Copy link
Contributor Author

enferas commented Sep 21, 2022

CVE-2022-36749 is assigned for this report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs triage php
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Command Injection and XSS vulnerabilities in trackEdit.php enferas/RPi-Jukebox-RFID
2 participants
@s-martin @enferas