OS Command Injection in falconchristmas/fpp
Valid
Reported on
May 12th 2021
✍️ Description
Hi, in https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.php#L38 :
<?
system($SUDO . " $fppDir/scripts/git_checkout_version " . $_GET['version']);
?>
A system function is called with a user input, a malicious user could profit from it if the version variable contains a command
🕵️♂️ Proof of Concept
http://127.0.0.1/gitCheckoutVersion.php?version=a||ls
💥 Impact
Remote Code Execution
Occurrences
to join this conversation