제출 #754579: Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 OS Command Injection / Remote Code Execution정보

제목	Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 OS Command Injection / Remote Code Execution
설명	Summary An OS Command Injection vulnerability exists in the Tosei Online Store Management System v1.01. The application fails to properly sanitize the DevId parameter in the /cgi-bin/monitor.php endpoint, allowing an unauthenticated remote attacker to execute arbitrary system commands via a specially crafted POST request. Technical Details & Root Cause The vulnerability stems from the improper use of insecure PHP system execution functions (such as system(), exec(), or shell_exec()) when processing the DevId parameter. Due to a lack of metacharacter escaping, an attacker can use a semicolon (;) to terminate the intended command and append malicious shell commands. Proof of Concept (PoC) An attacker can confirm the vulnerability by sending a POST request to /cgi-bin/monitor.php with the following payload: doput=ON&DevId=;id;&Port=1 The first ; breaks out of the original command. The id command is executed by the shell. The trailing ; ensures the rest of the original string does not cause a syntax error. The server responds with command output (e.g., uid=501(contec) gid=501(contec)), confirming Remote Code Execution (RCE). Impact Full System Compromise: Unauthorized execution of commands with web server privileges (contec). Data Exfiltration: Potential access to sensitive system files (e.g., /etc/passwd) and database credentials. Lateral Movement: The compromised host can serve as a pivot point for attacking the internal network. Privilege Escalation: High risk of gaining root access due to the legacy environment (Apache/1.3.31). Remediation Input Validation: Implement a strict alphanumeric allow-list for the DevId parameter. Secure Coding: Replace system shell calls with native PHP APIs. Command Escaping: Use escapeshellarg() if shell execution is strictly required. System Update: Upgrade the outdated Apache/PHP stack to a currently supported version.
원천	⚠️ https://github.com/CVE-Hunter-Leo/CVE/issues/9
사용자	CW.Wong (UID 88449)
제출	2026. 02. 09. AM 10:42 (3 개월 ago)
모더레이션	2026. 02. 21. PM 06:30 (12 days later)
상태	수락
VulDB 항목	347314 [Tosei Online Store Management System ネット店舗管理システム HTTP POST Request /cgi-bin/monitor.php system 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Do you need the next level of professionalism?

Upgrade your account now!