OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, a command is built without filtering user input in https://github.com/FalconChristmas/fpp/blob/cc026bd238b641ad147a3f8e1df47052e34f16d3/www/copyFilesToRemote.php#L50

$ip = $_GET['ip'];
/**/
    $command = "rsync -rtDlv --modify-window=1 $compress --stats $fppHome/media/$dir/ $ip::media/$dir/ 2>&1";

    echo "Command: $command\n";
    echo "----------------------------------------------------------------------------------\n";
    system($command);

$ip is directly embeded in the $command variable

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/copyFilesToRemote.php?ip=||ls||

💥 Impact

RCE