OpenHarness Command Injection Vulnerability in Gateway Handler Allowing Unauthorized Remote Administrative Access

A command injection vulnerability has been identified in OpenHarness versions prior to commit dd1d235. This vulnerability allows remote gateway users with chat access to execute sensitive administrative commands. The issue arises from an inadequate separation between commands intended for local use only and those safe for remote execution, particularly in the gateway handler. Exploiting this flaw, attackers can issue commands like '/permissions full_auto' through remote chat sessions, altering the permission settings of the OpenHarness instance without proper authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in permission settings on the affected OpenHarness instance, allowing users to gain elevated privileges or access rights they should not have.

Reproduction

To reproduce this vulnerability, a remote gateway user with chat access can send a message containing an administrative command, such as '/permissions full_auto', to the gateway. The command will be executed by the OpenHarness instance, bypassing authorization checks and potentially altering permission settings.

Remediation

Users can update to the latest version of OpenHarness, which includes a patch for this vulnerability. Instructions for updating can be found in the OpenHarness repository on GitHub.