Smanga Remote Code Execution Vulnerability via Command Injection

A remote code execution vulnerability has been identified in Smanga version 3.2.7, specifically within the '/php/path/rescan.php' interface. The issue arises because the application does not adequately sanitize user input in the 'mediaId' parameter before incorporating it into a system shell command. This flaw enables an unauthenticated attacker to inject arbitrary operating system commands, potentially leading to complete server compromise.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution, with attackers gaining full control over the server's operating system.

Reproduction

To reproduce this vulnerability, send a POST request to '/php/path/rescan.php' with the 'mediaId' parameter containing a command injection payload. The injected command will be executed on the server, and the output can be redirected to a file in the web root to verify successful execution.

Remediation

The vulnerability can be addressed by properly sanitizing user input before it is used in shell commands, such as by using 'escapeshellarg()' to escape command injection characters.