Submit #468530: Roxy-wi https://github.com/roxy-wi/roxy-wi <8.1.3 OS Command Injectioninfo

TitelRoxy-wi https://github.com/roxy-wi/roxy-wi <8.1.3 OS Command Injection
Beschreibung## Summary An OS command injection vulnerability has been found in the centralized server management system used for controlling servers like HAProxy, Nginx, Apache, and Keepalived. ## Vulnerable Code The issue starts in the action_tools function located in app/routes/admin/routes.py: ``` @bp.route('/tools/action/<service>/<action>') def action_tools(service, action): roxywi_auth.page_for_admin() if action not in ('start', 'stop', 'restart'): return 'error: wrong action' return roxy.action_service(action, service) ``` - The service and action values come directly from the user. - These values are sent to the action_service function without checking or cleaning them. In app/modules/roxywi/roxy.py, the action_service function looks like this: ``` def action_service(action: str, service: str) -> str: is_in_docker = is_docker() actions = { 'start': 'enable --now', 'stop': 'disable --now', 'restart': 'restart', } cmd = f"sudo systemctl {actions[action]} {service}" if not roxy_sql.select_user_status(): return 'warning: The service is disabled because you are not subscribed. Read <a href="https://roxy-wi.org/pricing" ' \ 'title="Roxy-WI pricing" target="_blank">here</a> about subscriptions' if is_in_docker: cmd = f"sudo supervisorctl {action} {service}" os.system(cmd) roxywi_common.logging('Roxy-WI server', f' The service {service} has been {action}ed', roxywi=1, login=1) return 'ok' ``` In this function, the service parameter is directly placed into the cmd variable, which is then executed using the os.system function. As a result, if we send a value like $(sleep 10) for the service parameter, the system will execute it, exposing an OS command injection vulnerability. _Note that this vulnerability is only relevant for premium Roxy-WI servers._
Quelle⚠️ https://github.com/roxy-wi/roxy-wi/pull/410
Benutzer
 slash0x99 (UID 77812)
Einreichung24.12.2024 17:28 (vor 1 Jahr)
Moderieren03.01.2025 15:53 (10 days later)
StatusAkzeptiert
VulDB Eintrag290149 [Roxy-WI bis 8.1.3 roxy.py action_service action/service erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!