OpenProject Arbitrary Command Execution Vulnerability via Email Notification Settings

A vulnerability allowing arbitrary command execution has been identified in OpenProject versions through 16.6.1. This issue arises when a registered administrator configures the sendmail binary path in the email notification settings. The entered path, along with the source and destination email addresses, is executed in a Linux shell when a test email is sent. This exploitation could lead to the execution of arbitrary Linux commands on the server.

Impact

Exploitation of this vulnerability allows registered administrators to execute arbitrary commands on the underlying operating system with elevated privileges, surpassing the typical rights of an application administrator.

Reproduction

To reproduce this vulnerability, a registered administrator must navigate to the email notification settings and enter a command into the 'System path to sendmail' field. Once the path is set, including any desired commands, the administrator can send a test email, which will trigger the execution of the injected commands on the server.

Remediation

Users can update to OpenProject version 16.6.2 or 17.0.0, where this vulnerability has been patched. Alternatively, the sendmail executable setting can be configured through the environment variable 'OPENPROJECT_SENDMAIL__LOCATION' to make the setting read-only and prevent modifications.