Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36749: šŸ› | Command Injection and XSS vulnerabilities reports Ā· Issue #1859 Ā· MiczFlor/RPi-Jukebox-RFID

RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection vulnerability via the component /htdocs/utils/Files.php. This vulnerability is exploited via a crafted payload injected into the file name of an uploaded file.

CVE
#xss#vulnerability#php

I would like to report for possible vulnerability.

//line 136 if(isset($_GET[ā€˜folder’]) && $_GET[ā€˜folder’] != ā€œā€) { $post[ā€˜folder’] = $_GET[ā€˜folder’]; } else { if(isset($_POST[ā€˜folder’]) && $_POST[ā€˜folder’] != ā€œā€) { $post[ā€˜folder’] = $_POST[ā€˜folder’]; } } if(isset($_GET[ā€˜filename’]) && $_GET[ā€˜filename’] != ā€œā€) { $post[ā€˜filename’] = $_GET[ā€˜filename’]; } else { if(isset($_POST[ā€˜filename’]) && $_POST[ā€˜filename’] != ā€œā€) { $post[ā€˜filename’] = $_POST[ā€˜filename’]; } } //line 249 $fileName = Files::buildPath($post[ā€˜folder’], $post[ā€˜filename’]); $exec = ā€œmid3v2 -l 'ā€ .$fileName ."’" ;

public static function buildPath(…$pieces) { return implode(DIRECTORY_SEPARATOR, $pieces); }

So the attacker can control the command injection through the filename.
The attacker can add ā€˜;’ and add another command like (echo <script>alert(document.cookie)<\script>.
The output pf the command will be printed through this path.

//line 252 // note: the output of the command is in $res $lines = explode(PHP_EOL, $res); foreach($lines as $line) { $parts = explode("=",$line); $key = trim(array_shift($parts)); // take the first $val = trim(implode("=",$parts)); // put the rest back together if (in_array($key, $trackDat[ā€˜metaKeys’][ā€˜mp3’])) { $trackDat[ā€˜existingTags’][$key] = $val; } } //line 496 if (isset($trackDat[ā€˜existingTags’][ā€˜TCOM’]) && trim($trackDat[ā€˜existingTags’][ā€˜TCOM’]) != ā€œā€) { echo trim($trackDat[ā€˜existingTags’][ā€˜TCOM’]); }

Finally, I recommend using escapeshellarg function with the $_GET[ā€˜folder’], $_POST[ā€˜folder’], $_GET[ā€˜filename’] and $_POST[ā€˜filename’]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman Ā· Pull Request #14969 Ā· redpanda-data/redpanda