Control Web Panel Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Control Web Panel (CWP) versions prior to 0.9.8.1205. The issue allows unauthenticated attackers to execute arbitrary commands on the server by exploiting a command injection vulnerability in the file manager module. The exploitation involves injecting shell metacharacters into the 't_total' parameter of a permission change request, bypassing authentication requirements. This vulnerability affects CWP instances on CentOS and other RPM-based distributions.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where CWP is installed.

Reproduction

To reproduce this vulnerability, send a POST request to the file manager module's permission change endpoint. Include a valid non-root username in the 'acc' parameter and inject arbitrary commands into the 't_total' parameter. The command injection is possible because the 't_total' parameter is not properly sanitized and is used in a 'chmod' command execution context. After injecting a command, the server will execute it with the privileges of the specified user.

Remediation

Users can update to CWP version 0.9.8.1205 or later, where this vulnerability has been patched.