IPFire Command Injection Vulnerability in Calamaris Log Exporter CGI

A command injection vulnerability has been identified in the Calamaris log exporter CGI component of IPFire version 2.29. The vulnerability arises because the CGI does not adequately sanitize user input before using it in a shell command. This flaw allows an unauthenticated remote attacker to inject arbitrary operating system commands by including shell metacharacters in various parameters. The vulnerable parameters include BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, and YEAR_END.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the underlying operating system.

Reproduction

To reproduce this vulnerability, send a request to the Calamaris log exporter CGI endpoint, including a payload in one of the vulnerable parameters that exploits the command injection flaw. The payload must be URL-encoded and can include shell metacharacters to inject a command, such as a DNS lookup command that resolves to an external domain.