CVE-2023-30258 Security advisory
A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.
Affected products
magnusbilling 7 up to and including commit 7af21ed620
magnusbilling 6 (all versions)
Steps to reproduce
The following proof of concept uses a harmless sleep 30
command as a payload.
- Visit
/mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
- Observe that the page takes 30 seconds to load
- Visit
/mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
- Observe that the page takes only 3 seconds to load
Cause
A piece of demonstration code is present in lib/icepay/icepay.php
, with a call to exec()
at line 753. The parameter to exec()
includes the GET parameter democ
, which is controlled by the user.
Impact
An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data
. At a minimum, this allows an attacker to compromise the billing system and its database.
Proposed Mitigation
Remove the demo code from icepay.php
.