提出 #754579: Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 OS Command Injection / Remote Code Execution情報

タイトル	Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 OS Command Injection / Remote Code Execution
説明	Summary An OS Command Injection vulnerability exists in the Tosei Online Store Management System v1.01. The application fails to properly sanitize the DevId parameter in the /cgi-bin/monitor.php endpoint, allowing an unauthenticated remote attacker to execute arbitrary system commands via a specially crafted POST request. Technical Details & Root Cause The vulnerability stems from the improper use of insecure PHP system execution functions (such as system(), exec(), or shell_exec()) when processing the DevId parameter. Due to a lack of metacharacter escaping, an attacker can use a semicolon (;) to terminate the intended command and append malicious shell commands. Proof of Concept (PoC) An attacker can confirm the vulnerability by sending a POST request to /cgi-bin/monitor.php with the following payload: doput=ON&DevId=;id;&Port=1 The first ; breaks out of the original command. The id command is executed by the shell. The trailing ; ensures the rest of the original string does not cause a syntax error. The server responds with command output (e.g., uid=501(contec) gid=501(contec)), confirming Remote Code Execution (RCE). Impact Full System Compromise: Unauthorized execution of commands with web server privileges (contec). Data Exfiltration: Potential access to sensitive system files (e.g., /etc/passwd) and database credentials. Lateral Movement: The compromised host can serve as a pivot point for attacking the internal network. Privilege Escalation: High risk of gaining root access due to the legacy environment (Apache/1.3.31). Remediation Input Validation: Implement a strict alphanumeric allow-list for the DevId parameter. Secure Coding: Replace system shell calls with native PHP APIs. Command Escaping: Use escapeshellarg() if shell execution is strictly required. System Update: Upgrade the outdated Apache/PHP stack to a currently supported version.
ソース	⚠️ https://github.com/CVE-Hunter-Leo/CVE/issues/9
ユーザー	CW.Wong (UID 88449)
送信	2026年02月09日 10:42 (3 月 ago)
モデレーション	2026年02月21日 18:30 (12 days later)
ステータス	承諾済み
VulDBエントリ	347314 [Tosei Online Store Management System ネット店舗管理システム HTTP POST Request /cgi-bin/monitor.php system 特権昇格]
ポイント	20

◂ 前概要次 ▸

Want to know what is going to be exploited?

We predict KEV entries!