ITRS OP5 Monitor Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in ITRS OP5 Monitor versions through 7.1.9. This vulnerability allows authenticated users to execute arbitrary shell commands as the unprivileged web application user. The issue arises in the command_test.php endpoint, where the 'cmd_str' parameter can be exploited via the 'Test this command' feature. Successful exploitation requires valid login credentials and access to the command testing functionality.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected system, with the executed commands running under the privileges of the web application user.

Reproduction

To reproduce this vulnerability, an authenticated user must log into the OP5 Monitor web interface. Once logged in, the user can navigate to the command testing feature within the configuration section. By sending a GET request to the command_test.php endpoint with the 'cmd_str' parameter containing the desired command, the injection can be executed. The Metasploit module for this vulnerability automates this process, including the login and command execution steps.

Remediation

Users are advised to upgrade to OP5 Monitor version 7.2.0 or later, where this vulnerability has been patched.