Netmake ScriptCase Production Environment Shell Injection Vulnerability Allowing Remote Command Execution

A shell injection vulnerability has been identified in the Production Environment extension of Netmake ScriptCase, affecting versions through 9.12.006 (23). This vulnerability allows authenticated attackers to execute system commands via crafted HTTP requests, exploiting the SSH connection settings where user input is improperly sanitized. The issue arises in the 'nmPageAdminSysAllConectionsCreateWizard' class, specifically within the 'Ajax' method, where SSH options are parsed and concatenated into a command executed by 'shell_exec()'.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary system commands on the server as the web server user, typically 'www-data'.

Reproduction

To reproduce this vulnerability, first authenticate in the ScriptCase Production Environment console. Then, navigate to the database connection settings and enable SSH local port forwarding. Inject a command into the 'ssh_localportforwarding' field, such as a command to create a file, and submit the form. The injected command will be executed on the server, demonstrating the shell injection vulnerability.

Remediation

While waiting for an official fix, it is recommended to restrict access to the ScriptCase Production Environment extension, particularly the 'admin_sys_allconections_test.php' and 'admin_sys_allconections_create_wizard.php' files, which are involved in the exploitation of this vulnerability.