| タイトル | php-censor <= 2.1.6 OS Command Injection |
|---|
| 説明 | PHP Censor (all versions through 2.1.6) allows unauthenticated OS command injection via the webhook endpoint. The WebhookController is whitelisted from authentication checks in Application.php, and the "branch" and "commit" parameters from GET/POST requests to /webhook/git/<projectId> are passed unsanitized through sprintf() into shell commands executed via Symfony Process::fromShellCommandline(). A remote unauthenticated attacker can inject arbitrary OS commands by sending a crafted branch parameter (e.g., ?branch=$(id)), which is executed asynchronously by the Worker process. In the default Docker deployment, commands run as root. |
|---|
| ソース | ⚠️ https://github.com/php-censor/php-censor/issues/442 |
|---|
| ユーザー | anch0r (UID 96691) |
|---|
| 送信 | 2026年05月11日 08:54 (25 日 ago) |
|---|
| モデレーション | 2026年05月31日 16:19 (20 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367552 [php-censor 迄 2.1.6 Webhook Endpoint GitBuild.php commitId 特権昇格] |
|---|
| ポイント | 20 |
|---|