A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.
magnusbilling 7 up to and including commit 7af21ed620
magnusbilling 6 (all versions)
The following proof of concept uses a harmless
sleep 30 command as a payload.
A piece of demonstration code is present in
lib/icepay/icepay.php, with a call to
exec() at line 753. The parameter to
exec() includes the GET parameter
democ, which is controlled by the user.
An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically
www-data. At a minimum, this allows an attacker to compromise the billing system and its database.
Remove the demo code from