| शीर्षक | linlinjava litemall up to 1.8.0 Argument Injection |
|---|
| विवरण | A vulnerability was found in linlinjava litemall up to 1.8.0.(https://github.com/linlinjava/litemall )It has been classified as critical. Affected is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java. The manipulation of the argument db/password leads to argument injection.
The backup() function at line 13 constructs a command:
String command = "mysqldump -u" + user + " -p" + password + " --set-charset=utf8 " + db;
Process child = rt.exec(command);
Since Runtime.exec(String) splits by whitespace, an attacker can inject additional mysqldump arguments.
PoC 1 - Arbitrary file write via db parameter:
Setting db="litemall --result-file=/tmp/pwned.txt" causes mysqldump to write output to arbitrary path.
Verified on server (CentOS 7, Java 17, MySQL 8.0.45): file /tmp/pwned.txt was created successfully.
PoC 2 - Arbitrary file write via password parameter:
Setting password="test --result-file=/tmp/pwned2.txt" also works.
Verified on server: file /tmp/pwned2.txt was created.
Impact: Arbitrary file write leading to potential RCE via cron job injection (writing to /etc/cron.d/).
The load() function at line 33 has the same issue with the mysql command.
Suggested fix: Replace Runtime.exec(String) with ProcessBuilder using argument array:
ProcessBuilder pb = new ProcessBuilder("mysqldump", "-u" + user, "-p" + password, "--set-charset=utf8", db);
Reporter: berna ([email protected]) |
|---|
| स्रोत | ⚠️ https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
|---|
| उपयोगकर्ता | berna (UID 97558) |
|---|
| सबमिशन | 23/04/2026 04:43 PM (1 महीना पहले) |
|---|
| संयम | 17/05/2026 11:36 AM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 364398 [linlinjava litemall तक 1.8.0 Database Setting DbUtil.java backup/load db/password अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|