OS Command Injection in falconchristmas/fpp


Reported on

May 12th 2021

✍️ Description

Hi, in https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.php#L38 :

system($SUDO . " $fppDir/scripts/git_checkout_version " . $_GET['version']);

A system function is called with a user input, a malicious user could profit from it if the version variable contains a command

🕵️‍♂️ Proof of Concept||ls

💥 Impact

Remote Code Execution

to join this conversation