Headline

GHSA-5grx-v727-qmq6: 1Panel has an SQL injection issue related to the orderBy clause

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows

Details （one of them ）

PoC

curl ‘http://api:30455/api/v1/hosts/command/search’ {"page":1,"pageSize":10,"groupID":0,"orderBy":"3“,"order":"ascending","name":"a"} <img width="664” alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f"> for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

Impact

RCE、data leak.

1 month ago

ghsa

Open in Source

#sql #git #rce #ssl

GitHub Advisory Database
GitHub Reviewed
CVE-2024-39907

1Panel has an SQL injection issue related to the orderBy clause

Critical severity GitHub Reviewed Published Jul 18, 2024 in 1Panel-dev/1Panel • Updated Jul 18, 2024

Package

gomod github.com/1Panel-dev/1Panel (Go)

Affected versions

< 1.10.12-tls

Patched versions

1.10.12-tls

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows

Details （one of them ）

PoC

curl ‘http://api:30455/api/v1/hosts/command/search’ {"page":1,"pageSize":10,"groupID":0,"orderBy":"3","order":"ascending","name":"a"}

for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

Impact

RCE、data leak.

References