sar2html OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in sar2html versions through 3.2.2. The issue arises in index.php, where the application fails to properly sanitize user input in the plot parameter before executing it at the system level. This vulnerability allows remote, unauthenticated attackers to inject and execute arbitrary shell commands on the server. The command execution output is then displayed in the application's interface, following interaction with the host selection UI.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the underlying system where sar2html is running.

Reproduction

To reproduce this vulnerability, send a crafted GET request to 'index.php' with the plot parameter set to include a command, such as 'id'. After the command is executed, select a host in the application interface to view the command output.