IPFire Remote Command Execution Vulnerability via Proxy.cgi Interface

A remote command execution vulnerability has been identified in IPFire versions prior to 2.19 Core Update 101. This vulnerability exists within the 'proxy.cgi' CGI interface, where an authenticated attacker can inject arbitrary shell commands. The exploitation is achieved by crafting specific inputs in the NCSA user creation form, which are then executed on the server with web server privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected IPFire system, with the executed commands being run as the web server user.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'proxy.cgi' interface with crafted values in the 'NCSA_PASS' and 'NCSA_PASS_CONFIRM' fields. These values should include the desired shell commands, using '||' to chain commands after bypassing the initial command execution safeguards. The 'NCSA_USERNAME' field must also be populated, and the 'ACTION' field should be set according to the current language of the IPFire interface.

Remediation

Users are advised to upgrade to IPFire 2.19 Core Update 101, which addresses this vulnerability.