OctoPrint Command Injection Vulnerability via Unsanitized Filenames in Event Handlers

A vulnerability allowing remote code execution has been identified in OctoPrint versions prior to 1.11.3. This issue arises from the ability of an authenticated attacker to upload files with specially crafted filenames. If these filenames are later used in commands executed by system event handlers, the attacker can execute arbitrary commands on the server. The vulnerability is not impactful unless event handlers are configured to execute system commands with filenames as parameters.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where OctoPrint is running.

Reproduction

To reproduce this vulnerability, upload a file with a filename that includes a command injection payload, such as a G-code file named 'test.gcode; rm -rf /; #.gcode'. Ensure that an event handler is configured to execute system commands using uploaded filenames as parameters. When the event is triggered, the command will be executed, demonstrating the vulnerability.

Remediation

Users can update OctoPrint to version 1.11.3, where this vulnerability has been patched. After updating, it is recommended to review and delete any suspicious files that may have been uploaded prior to the update. Additionally, OctoPrint administrators should avoid exposing their OctoPrint instance to untrusted networks and carefully manage who has access to it.