| عنوان | Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 OS Command Injection / Remote Code Execution |
|---|
| الوصف | Summary An OS Command Injection vulnerability exists in the Tosei Online Store Management System v1.01. The application fails to properly sanitize the DevId parameter in the /cgi-bin/monitor.php endpoint, allowing an unauthenticated remote attacker to execute arbitrary system commands via a specially crafted POST request.
Technical Details & Root Cause The vulnerability stems from the improper use of insecure PHP system execution functions (such as system(), exec(), or shell_exec()) when processing the DevId parameter. Due to a lack of metacharacter escaping, an attacker can use a semicolon (;) to terminate the intended command and append malicious shell commands.
Proof of Concept (PoC) An attacker can confirm the vulnerability by sending a POST request to /cgi-bin/monitor.php with the following payload: doput=ON&DevId=;id;&Port=1
The first ; breaks out of the original command.
The id command is executed by the shell.
The trailing ; ensures the rest of the original string does not cause a syntax error.
The server responds with command output (e.g., uid=501(contec) gid=501(contec)), confirming Remote Code Execution (RCE).
Impact
Full System Compromise: Unauthorized execution of commands with web server privileges (contec).
Data Exfiltration: Potential access to sensitive system files (e.g., /etc/passwd) and database credentials.
Lateral Movement: The compromised host can serve as a pivot point for attacking the internal network.
Privilege Escalation: High risk of gaining root access due to the legacy environment (Apache/1.3.31).
Remediation
Input Validation: Implement a strict alphanumeric allow-list for the DevId parameter.
Secure Coding: Replace system shell calls with native PHP APIs.
Command Escaping: Use escapeshellarg() if shell execution is strictly required.
System Update: Upgrade the outdated Apache/PHP stack to a currently supported version. |
|---|
| المصدر | ⚠️ https://github.com/CVE-Hunter-Leo/CVE/issues/9 |
|---|
| المستخدم | CW.Wong (UID 88449) |
|---|
| ارسال | 09/02/2026 10:42 AM (3 أشهر منذ) |
|---|
| الاعتدال | 21/02/2026 06:30 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 347314 [Tosei Online Store Management System ネット店舗管理システム HTTP POST Request /cgi-bin/monitor.php system تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|