OpenSTAManager OS Command Injection Vulnerability in P7M File Decoding

A critical OS command injection vulnerability has been identified in OpenSTAManager versions through 2.9.8. The issue arises in the P7M file decoding functionality, where an authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename. This allows for the execution of arbitrary system commands on the server.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, with the executed commands running as the web server user. This could result in a full server compromise, access to all application data and database, potential privilege escalation if the web server runs with elevated privileges, and the ability to install backdoors for persistent access or move laterally to other systems on the network.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a ZIP file containing a .p7m file with a malicious filename that exploits the command injection flaw. The application will extract the ZIP file and process the .p7m file, triggering the command injection via the 'exec' function. After exploitation, the uploaded web shell can be accessed to execute commands on the server.

Remediation

To address this vulnerability, input sanitization should be implemented to validate that file paths do not contain shell metacharacters before processing. Alternatively, filenames from ZIP files can be validated to ensure they only contain alphanumeric characters, dots, dashes, and underscores.