OS Command Injection in microweber/microweber


Reported on

Feb 5th 2022


OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.

Proof of Concept

Step To Reproduce
- Login using Admin Creds. 
- Navigate tpo User Section then Add/Modify Users
- Change/Add image of profile and Select a Crafted Image file 
- Crafted image file Aka A image file which craft with PHP CODES for execution  
- File Extension of Crafted File is PHP7 like "Sample.php7"

POC BY @AggressiveUser

=> I attach two image files for easy to UnderStand POC Uploading Crafted Payload

Execution Of Payload


If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.

We are processing your report and will contact the microweber team within 24 hours. a year ago
AggressiveUser modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
a year ago


a year ago


am i eligible for CVE ID for this PATCH ?

a year ago


@admin @maintainer issue has been fixed please allocate the CVE ID

Peter Ivanov validated this vulnerability a year ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 0a7e5f a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation