1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-39966

1Panel arbitrary file write vulnerability

High severity GitHub Reviewed Published Aug 10, 2023 in 1Panel-dev/1Panel • Updated Aug 10, 2023

Package

gomod github.com/1Panel-dev/1Panel (Go)

Affected versions

= 1.4.3

Summary

An arbitrary file write vulnerability could lead to direct control of the server

Details****Arbitrary file creation

In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:

• Vulnerable Code

PoC

• We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.

• The server was successfully written to the public key

• Successfully connected to the target server using an SSH private key.

As a result, the server is directly controlled, causing serious harm

Impact

1Panel v1.4.3

References

• GHSA-hf7j-xj3w-87g4
• https://nvd.nist.gov/vuln/detail/CVE-2023-39966
• https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0

Published to the GitHub Advisory Database

Aug 10, 2023

Last updated

Aug 10, 2023