Tosei Online Store Management System Command Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in Tosei Online Store Management System version 1.01. The issue arises in the '/cgi-bin/monitor.php' file, specifically within the HTTP POST request handler. The vulnerability is caused by improper input validation of the 'DevId' parameter, which allows for OS command injection. Exploitation can be achieved by sending a crafted POST request that manipulates the 'DevId' argument, leading to the execution of arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for full system compromise, with executed commands running under the web server user 'contec'. This could lead to unauthorized access to sensitive files, such as '/etc/passwd' or application data, and could be used to escalate privileges, especially given the presence of unpatched vulnerabilities in the server's outdated software. Additionally, the compromised system could be used to attack other internal network assets.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/monitor.php' with the 'DevId' parameter set to a payload that includes a semicolon followed by a command, such as 'id'. The injected command will be executed by the server's operating system, and the response will include the output of the command, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to implement proper input validation for the 'DevId' parameter, ensuring it only accepts alphanumeric characters. If shell command execution is necessary, use PHP's 'escapeshellarg()' function to sanitize the input. Regular security audits should also be conducted to identify and address potential vulnerabilities.