Roxy-WI Command Injection Vulnerability in Config Comparison Endpoint Allows Authenticated Remote Code Execution

A command injection vulnerability has been identified in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. This vulnerability affects versions prior to 8.2.6.3 and is present in the '/config/compare/<service>/<server_ip>/show' endpoint. Authenticated users could exploit this vulnerability to execute arbitrary system commands on the host where the application is running. The issue arises because user input is directly inserted into a command that is executed on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the server hosting Roxy-WI, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, log in as a user with access to one of the supported services (HAProxy, Nginx, Apache, or Keepalived). Then, send a POST request to the '/config/compare/<service>/<server_ip>/show' endpoint. Include a crafted 'left' value that contains the command to be executed, while leaving the 'right' value empty. The injected command will be executed on the server, and the response will include the command's output.

Remediation

Users are advised to update to Roxy-WI version 8.2.6.3 or later, where this vulnerability has been fixed. Additionally, input validation should be improved to prevent command injection, such as by checking that the specified configuration files are valid and using safer methods to handle command execution.