php-censor Command Injection Vulnerability in Webhook Endpoint Allows Remote Code Execution

A command injection vulnerability has been identified in php-censor versions through 2.1.6. This issue resides in the Webhook Endpoint, specifically within the GitBuild model. The vulnerability allows for operating system command injection by manipulating the commitId parameter, which is passed unsanitized into shell commands. This flaw can be exploited remotely, and the injected commands are executed with root privileges in the default Docker deployment.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with commands running as the root user. This could lead to unauthorized access to sensitive files, establishment of persistent backdoors, and potential compromise of the software supply chain by altering build processes or artifacts.

Reproduction

To reproduce this vulnerability, send a POST request to the webhook endpoint for a Git project, including a malicious command in the commitId parameter. The WebhookController will process the request without authentication, and the command will be executed by the server's worker process.

Remediation

Users are advised to update to php-censor version 2.1.7 or later, where this vulnerability has been patched.