Description:
During the source Code Review of the Free Scout Application, an OS Command Injection has been identified in the /public/tools.php source file. The value of the php_path parameter is being executed as an OS command by the shell_exec function, without validating it. This allows an adversary to execute malicious OS commands on the server.
In a practical demonstration of the successful command injection attack extracted the /etc/passwd file of the server. This represented the complete compromise of the server hosting the freescout application.
This attack requires an attacker to know the App_Key of the application. This limitation makes the Attack Complexity to be High. If an attacker gets hold of the App_Key, the attacker can compromise the Complete server on which the application is deployed.
Impact:
The OS Command Injection vulnerability identified in the Free Scout Application poses a significant threat, allowing malicious actors to execute unauthorized commands on the server. The successful exploitation of this vulnerability could lead to a complete compromise of the server, resulting in a compromise of the confidentiality and integrity of the application, server, and its users and potential disruption of service.
Mitigation:
Implement robust input validation and sanitization mechanisms for the php_path parameter to ensure that only legitimate and safe commands are accepted. Also ensure that the provided php_path is a valid path and whether the php binary is present on that path or not, before executing the commands.
Steps to Reproduce:
- Go to /tools.php endpoint.
- Input the app key.
- Input “cat /etc/passwd;” in the php path.
- Press on any of the three buttons.
- The /etc/passwd file will be retrieved.
Evidence:
UmerAdeemCheema Reporter
Description:
During the source Code Review of the Free Scout Application, an OS Command Injection has been identified in the /public/tools.php source file. The value of the php_path parameter is being executed as an OS command by the shell_exec function, without validating it. This allows an adversary to execute malicious OS commands on the server.
In a practical demonstration of the successful command injection attack extracted the /etc/passwd file of the server. This represented the complete compromise of the server hosting the freescout application.
This attack requires an attacker to know the App_Key of the application. This limitation makes the Attack Complexity to be High. If an attacker gets hold of the App_Key, the attacker can compromise the Complete server on which the application is deployed.
Impact:
The OS Command Injection vulnerability identified in the Free Scout Application poses a significant threat, allowing malicious actors to execute unauthorized commands on the server. The successful exploitation of this vulnerability could lead to a complete compromise of the server, resulting in a compromise of the confidentiality and integrity of the application, server, and its users and potential disruption of service.
Mitigation:
Implement robust input validation and sanitization mechanisms for the php_path parameter to ensure that only legitimate and safe commands are accepted. Also ensure that the provided php_path is a valid path and whether the php binary is present on that path or not, before executing the commands.
Steps to Reproduce:
Evidence: