NietThijmen ShoppingCart Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in NietThijmen ShoppingCart version 0.0.2. The issue arises in the 'connect' function within the 'ssh.go' file, where user-supplied input is directly concatenated into an SSH command without proper validation or sanitization. This flaw allows attackers to inject malicious payloads into the 'Port' field when adding a cart item. Once the 'connect' command is executed with the compromised entry, the injected command is executed on the host system, leading to arbitrary command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, with the executed commands running in the context of the user who launched the application. This could potentially lead to privilege escalation, information disclosure, or a full system compromise if, for example, a reverse shell payload is used.

Reproduction

To reproduce this vulnerability, first add a cart item with a malicious payload injected into the 'Port' field, such as ';id'. After the item is saved, execute the 'connect' command and select the injected entry. The 'connect' function will execute the injected command, demonstrating the command injection vulnerability.

Remediation

To address this vulnerability, validate the 'Port' field to ensure it only accepts numeric values within the valid port range of 1 to 65535. Additionally, use the 'exec.Command()' function with separate arguments to construct commands safely, avoiding shell injection risks. It's also important to validate all user input fields against strict allowlists before use.