Sickbeard Remote Command Injection Vulnerability

A remote command injection vulnerability exists in Sickbeard alpha, allowing unauthenticated attackers to execute arbitrary commands via the extra scripts configuration. By inserting malicious commands into the extra scripts field and triggering the processing, attackers can execute remote code on the affected Sickbeard installation.

Impact

Exploitation of this vulnerability allows for remote command execution on the server where Sickbeard is running.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'config/hidden/saveHidden' endpoint with the 'extra_scripts' parameter set to the desired command. After the command is saved, another POST request can be sent to the 'home/postprocess/processEpisode' endpoint to execute the command. This exploitation can be automated with a Python script that uses the 'requests' library to send the necessary POST requests.