OS Command Injection in microweber/microweber

Valid

Reported on

Feb 5th 2022


Description

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.

Proof of Concept

Step To Reproduce
- Login using Admin Creds. 
- Navigate tpo User Section then Add/Modify Users
- Change/Add image of profile and Select a Crafted Image file 
- Crafted image file Aka A image file which craft with PHP CODES for execution  
- File Extension of Crafted File is PHP7 like "Sample.php7"

POC BY @AggressiveUser

=> I attach two image files for easy to UnderStand POC Uploading Crafted Payload

Execution Of Payload

Impact

If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.

We are processing your report and will contact the microweber team within 24 hours. 4 months ago
AggressiveUser modified the report
4 months ago
We have contacted a member of the microweber team and are waiting to hear back 4 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 3 months ago
Bozhidar
3 months ago

https://github.com/microweber/microweber/commit/07e92499a0adb7364b2c745232e248049529b6b9

AggressiveUser
3 months ago

Researcher


am i eligible for CVE ID for this PATCH ?

AggressiveUser
3 months ago

Researcher


@admin @maintainer issue has been fixed please allocate the CVE ID

Peter Ivanov validated this vulnerability 3 months ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 0a7e5f 3 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation