DumbDrop OS Command Injection Vulnerability in File Upload Feature Allowing Remote Code Execution
Vulnerability
A command injection vulnerability has been identified in the DumbDrop file upload application, specifically within the '/upload/init' endpoint. This vulnerability allows for arbitrary code execution on the server when the Apprise Notification feature is enabled. The issue arises from insufficient validation of user input, which can be exploited by crafting a malicious filename that is processed by the application as a command.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed command's output potentially being returned to the attacker. Additionally, according to the vulnerability disclosure, this could lead to a web server takeover if root privileges are gained.
Reproduction
To reproduce this vulnerability, upload a file through the '/upload/init' endpoint with a filename that includes a command injection payload. Ensure that the Apprise Notification feature is enabled, as the vulnerability relies on this functionality to execute the injected command.
Remediation
Users are advised to update to the patched version available in the GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.