OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, it is possible ot inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.php#L46

system($SUDO . " $fppDir/SD/upgradeOS-part1.sh /home/fpp/media/upload/" . $_GET['os']);

🕵️‍♂️ Proof of Concept

Visit : http://127.0.0.1/upgradeOS.php?os=||ls, or http://127.0.0.1/upgradeOS.php?os=&&ls and see the execution of the ls command

💥 Impact

Arbitrary code execution