RaspAP Web GUI Command Injection Vulnerability in Hostapd Configuration

A command injection vulnerability has been identified in RaspAP Web GUI versions through 3.3.2, specifically within the hostapd.php script. This vulnerability arises from inadequate sanitization of user input transmitted via the 'interface' parameter, allowing authenticated users to inject arbitrary commands that are executed on the server.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary commands on the server where RaspAP is running.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/hostapd_conf' endpoint with the 'SaveHostAPDSettings' parameter set to 'true'. The 'interface' parameter can be crafted to include injected commands, such as a command to create a file in the '/tmp' directory. After the request is processed, the injected command will be executed, demonstrating the command injection vulnerability.

Remediation

Users can update to RaspAP version 3.3.3 or later, where this vulnerability has been fixed. Instructions for updating can be found on the RaspAP GitHub repository.