carlesudg / cmxsi-projecte-vps Goto Github PK

Hello, I was searching for simple vulnerabilities for a class assignment and I came across your repository. I understand that this web application you made is for managing multiple Virtual Machines running in the same server as the application. I have noticed that you perform a lot of command execution through the function shell_exec() provided by PHP that allows you to execute a shell command. While this function does not always create a vulnerability in your code, improper use of it can cause severe problems, for example, take the line 20 from your script.php file
shell_exec("echo ./startVM.sh " . $_POST['maquina'] . " " . $_POST['usuari'] . " > ./scripts/exec.txt");
This line uses data taken from user input and concatenates it directly on the line that is going to be executed by shell_exec(). Imagine if the user manipulates the 2 variables to concatenate, for example, the following line: "&& netcat -l 4444;" the resulting string executed by shell exec would be:

echo ./startVM.sh && netcat -l 4444; > ./scripts/exect.txt

That would open a listening connection on port 4444 without any problem. I should clarify that this is not the only kind of script you can execute.
Therefore I would suggest you use the functions escapeshellarg and escapeshellcmd that escapes strings to be used as a shell argument and escapes shell metacharacters respectively. Also, I would suggest defining adequate permissions configuration on your server to avoid any kind of unwanted behaviour.
I will provide you with a usage example of both functions

$dir =  $_POST['aDirectory'] ;
system('ls '.escapeshellarg($dir));
escapeshellcmd('ls $dir');

Goodbye!