LiteSpeed Web Server Enterprise Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in LiteSpeed Web Server Enterprise version 5.4.11. This vulnerability exists in the external application configuration interface, where authenticated administrators can inject shell commands through the 'Command' parameter. The injection exploits path traversal and bash command execution.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with the potential for remote code execution on the server.

Reproduction

To reproduce this vulnerability, log into the LiteSpeed Web Server dashboard as an administrator. Navigate to 'Server Configuration' and then to 'External App'. Edit the application settings and set 'Start By Server' to 'Yes (Through CGI Daemon)'. In the 'Command' parameter, inject a payload that includes a path traversal sequence followed by a bash command, such as one that opens a reverse shell. After injecting the command, perform a 'Graceful Restart' to execute the payload.