From 8277cec0f008a0451371a92e7e0bf082ab3f0c34 Mon Sep 17 00:00:00 2001
From: Yogesh Ojha <yogesh.ojha11@gmail.com>
Date: Sun, 22 May 2022 21:11:29 +0530
Subject: [PATCH] Fix command injection issue on detect cms

---
 web/reNgine/common_func.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/web/reNgine/common_func.py b/web/reNgine/common_func.py
index 27580467..10c108cf 100644
--- a/web/reNgine/common_func.py
+++ b/web/reNgine/common_func.py
@@ -6,6 +6,7 @@
 import tldextract
 import logging
 import shutil
+import subprocess
 
 from threading import Thread
 
@@ -668,8 +669,12 @@ def get_whois(ip_domain, save_db=False, fetch_from_db=True):
 def get_cms_details(url):
     # this function will fetch cms details using cms_detector
     response = {}
-    cms_detector_command = 'python3 /usr/src/github/CMSeeK/cmseek.py -u {} --random-agent --batch --follow-redirect'.format(url)
-    os.system(cms_detector_command)
+    cms_detector_command = 'python3 /usr/src/github/CMSeeK/cmseek.py --random-agent --batch --follow-redirect'
+    subprocess_splitted_command = cms_detector_command.split()
+    subprocess_splitted_command.append('-u')
+    subprocess_splitted_command.append(url)
+    process = subprocess.Popen(subprocess_splitted_command)
+    process.wait()
 
     response['status'] = False
     response['message'] = 'Could not detect CMS!'