IPFire Command Injection Vulnerability in Proxy Report Creation

A command injection vulnerability has been identified in IPFire versions prior to 2.29 (Core Update 198). This vulnerability allows authenticated attackers to execute arbitrary commands as the 'nobody' user. The issue arises when creating a Proxy report, as the application sends an HTTP POST request to '/cgi-bin/logs.cgi/calamaris.dat'. The request includes multiple parameters that are directly interpolated into a shell command without proper sanitization. This lack of validation enables the injection of shell metacharacters, leading to unauthorized command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, with the commands being executed under the privileges of the 'nobody' user.

Reproduction

To reproduce this vulnerability, an authenticated user can create a Proxy report in IPFire versions prior to 2.29 (Core Update 198). During the report creation, the application will send an HTTP POST request to '/cgi-bin/logs.cgi/calamaris.dat' with several parameters. By crafting a POST request that includes unsanitized shell metacharacters in these parameters, arbitrary commands can be injected and executed as the 'nobody' user.

Remediation

Users can update to IPFire 2.29 (Core Update 198) or later, where this vulnerability has been patched.