openDCIM OS Command Injection Vulnerability in report_network_map.php

A command injection vulnerability has been identified in openDCIM versions through 23.04, commit 4467e9c4. The issue arises in the report_network_map.php file, where the application retrieves the 'dot' configuration parameter from the database and passes it directly to the exec() function without any validation or sanitization. This flaw allows attackers to execute arbitrary commands in the context of the web server process, particularly if they can modify the fac_Config.dot value.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the commands being executed in the context of the web server user.

Reproduction

The vulnerability can be reproduced by first exploiting a SQL injection vulnerability in the openDCIM application to inject a command payload into the 'dot' configuration parameter. This is done by sending a crafted request to the 'install.php' file, which is accessible without proper authentication checks. Once the 'dot' parameter is overwritten with a command payload, the 'report_network_map.php' file can be accessed, which will execute the injected command. After executing the command, the 'dot' parameter can be restored to its original value, leaving no traces of the exploitation.

Remediation

Users can update to the latest version of openDCIM, where this vulnerability has been patched. Instructions for updating can be found in the openDCIM documentation.