Submit #468530: Roxy-wi https://github.com/roxy-wi/roxy-wi <8.1.3 OS Command Injectioninfo

TitleRoxy-wi https://github.com/roxy-wi/roxy-wi <8.1.3 OS Command Injection
Description## Summary An OS command injection vulnerability has been found in the centralized server management system used for controlling servers like HAProxy, Nginx, Apache, and Keepalived. ## Vulnerable Code The issue starts in the action_tools function located in app/routes/admin/routes.py: ``` @bp.route('/tools/action/<service>/<action>') def action_tools(service, action): roxywi_auth.page_for_admin() if action not in ('start', 'stop', 'restart'): return 'error: wrong action' return roxy.action_service(action, service) ``` - The service and action values come directly from the user. - These values are sent to the action_service function without checking or cleaning them. In app/modules/roxywi/roxy.py, the action_service function looks like this: ``` def action_service(action: str, service: str) -> str: is_in_docker = is_docker() actions = { 'start': 'enable --now', 'stop': 'disable --now', 'restart': 'restart', } cmd = f"sudo systemctl {actions[action]} {service}" if not roxy_sql.select_user_status(): return 'warning: The service is disabled because you are not subscribed. Read <a href="https://roxy-wi.org/pricing" ' \ 'title="Roxy-WI pricing" target="_blank">here</a> about subscriptions' if is_in_docker: cmd = f"sudo supervisorctl {action} {service}" os.system(cmd) roxywi_common.logging('Roxy-WI server', f' The service {service} has been {action}ed', roxywi=1, login=1) return 'ok' ``` In this function, the service parameter is directly placed into the cmd variable, which is then executed using the os.system function. As a result, if we send a value like $(sleep 10) for the service parameter, the system will execute it, exposing an OS command injection vulnerability. _Note that this vulnerability is only relevant for premium Roxy-WI servers._
Source⚠️ https://github.com/roxy-wi/roxy-wi/pull/410
User
 slash0x99 (UID 77812)
Submission12/24/2024 05:28 PM (7 months ago)
Moderation01/03/2025 03:53 PM (10 days later)
StatusAccepted
VulDB Entry290149 [Roxy-WI up to 8.1.3 roxy.py action_service action/service os command injection]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!