CVE-2022-2550 HestiaCP OS Command Injection
OS Command Injection
Hestiacp <=1.6.4 is vulnerable to OS Command Injection, Arbitrary commands can be injected when installing DokuWiki. Authenticated as “User” role users can inject commands. Injected commands are running as “admin” user.
Prerequisite
- Any user access
- php 7.4 must be installed in order to install dokuwiki (only admin can install php7.4)
Vulnerable Part
Attackers can inject commands with $options['wiki_name']
and other $options['XXX']
variables.
POC
- login to panel with user account.
- Open WEB tab. https://XX.XX.XX.XX:8083/list/web/
- Click
Add Web Domain
- Enter random domain to domain field and save.
- In the “Edit Web Domain” page click
Quick Install App
- Click “Setup” button in DokuWiki
- All fields are vulnerable, enter payload to
Wiki Name
field and fill other fields then click install button.// payload aa'; echo "injected" > /tmp/test; id >> /tmp/test ; echo '1
- Wait 10 sec.
/tmp/test injected uid=1001(admin) gid=1001(admin) groups=1001(admin)
PoC Video
Patch commits
https://github.com/hestiacp/hestiacp/commit/3d4c309cf138943cfd1e71ae51556406987aa4bf