Roxy-WI Command Injection Vulnerability in Log Viewing Functionality Allowing Authenticated Remote Code Execution

A command injection vulnerability has been identified in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. This vulnerability affects versions prior to 8.2.8.2 and allows authenticated users to execute arbitrary system commands through the log viewing feature. The issue arises in the 'app/modules/roxywi/logs.py' file, where the 'grep' parameter is utilized twice: once in a sanitized form and once as raw input. The vulnerability is present when 'syslog_server_enable' is set to 1 in the application settings, and the server is configured with SSH access.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands as root on the syslog server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with access to the logs can send a POST request to the logs route with a crafted 'grep' parameter that includes newline characters. This will inject commands into the server's log processing, which can be exploited to execute arbitrary system commands with root privileges.

Remediation

Users can update to Roxy-WI version 8.2.8.2, where this vulnerability has been fixed.