Headline
CVE-2023-30258: Security advisory
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
…/ advisories/
A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.
Affected products
magnusbilling 7 up to and including commit 7af21ed620
magnusbilling 6 (all versions)
Steps to reproduce
The following proof of concept uses a harmless sleep 30 command as a payload.
- Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
- Observe that the page takes 30 seconds to load
- Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
- Observe that the page takes only 3 seconds to load
Cause
A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.
Impact
An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.
Proposed Mitigation
Remove the demo code from icepay.php.
History
- 2023-03-28: Initial report removed by maintainer
- 2023-03-27: Vulnerability fixed
- 2023-03-27: Vulnerability reported
Related news
This Metasploit module exploits a command injection vulnerability in MagnusBilling application versions 6.x and 7.x that allows remote attackers to run arbitrary commands via an unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec(). The parameter to exec() includes the GET parameter democ, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data or asterisk. At a minimum, this allows an attacker to compromise the billing system and its database.