FruityWifi contains two security vulnerabilities that allow an unauthorized attacker to take complete control over the system.
The first vulnerability has already been released by another researcher and was assigned CVE-2018-17317:
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.
Now to exploit this vulnerability an attacker needs a valid session, but it turns out that command injection is also possible in a file that lacks any access control.
The file www/modules/save.php is accessible to anyone (erroneously?) and the validation attempt in regex_standard can be bypassed. So a POST request to modules/save.php with a mod_name value of a; netcat -lp 1234 < /etc/passwd; echo will execute netcat -lp 1234 < /etc/passwd.
Even if the regex used in regex_standard were correct it would still be to lenient (because it allows - and spaces).
The text was updated successfully, but these errors were encountered:
Hi Pyriphlegethon,
Thanks for reporting the issue. I added the session validation into save.php
Please note that PatatasFritas is an old Fork of FruityWiFi (FruityWiFi is the original project) and it was forked before adding session validation into FruityWiFi.
FruityWifi contains two security vulnerabilities that allow an unauthorized attacker to take complete control over the system.
The first vulnerability has already been released by another researcher and was assigned
CVE-2018-17317:Now to exploit this vulnerability an attacker needs a valid session, but it turns out that command injection is also possible in a file that lacks any access control.
The file
www/modules/save.phpis accessible to anyone (erroneously?) and the validation attempt inregex_standardcan be bypassed. So a POST request tomodules/save.phpwith amod_namevalue ofa; netcat -lp 1234 < /etc/passwd; echowill executenetcat -lp 1234 < /etc/passwd.Even if the regex used in
regex_standardwere correct it would still be to lenient (because it allows-and spaces).The text was updated successfully, but these errors were encountered: