IPFire Command Injection Vulnerability in URL Filter Blacklist Management

A command injection vulnerability has been identified in IPFire versions prior to 2.29 (Core Update 198). This vulnerability allows authenticated attackers to execute arbitrary commands as the 'nobody' user. The issue arises in the URL filter blacklist editor, where the BE_NAME parameter is used in an HTTP POST request to /cgi-bin/urlfilter.cgi'. The application fails to properly sanitize the parameter before incorporating it into a shell command, enabling the injection of shell metacharacters and execution of commands in the context of the 'nobody' user.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, with the executed commands running as the 'nobody' user.

Reproduction

To reproduce this vulnerability, an authenticated user can install a blacklist via the URL filter blacklist editor. During this process, an HTTP POST request is sent to '/cgi-bin/urlfilter.cgi', with the BE_NAME parameter containing the name of the blacklist. By including unsanitized input with shell metacharacters in the BE_NAME parameter, arbitrary commands can be injected and executed on the server.

Remediation

Users can update to IPFire 2.29 (Core Update 198) or later, where this vulnerability has been patched.