Termix Command Injection Vulnerability in File Manager Prior to Version 2.1.0
Vulnerability
A command injection vulnerability has been identified in Termix, a web-based server management platform, in versions prior to 2.1.0. The issue arises in the extractArchive and compressFiles endpoints of the file manager, where double-quoted strings are used to construct shell commands. This allows for command substitution, enabling injection attacks on the remote SSH host. The vulnerability can bypass permission restrictions, exploiting deployments where the file manager is active but terminal access is disabled.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the remote SSH host, circumventing terminal access restrictions in environments where the file manager is enabled but the terminal is disabled.
Reproduction
To reproduce this vulnerability, send a POST request to the /ssh/file_manager/ssh/extractArchive endpoint with a payload that includes a crafted archivePath parameter. The server will execute the injected command when processing the request. Alternatively, the /ssh/file_manager/ssh/compressFiles endpoint can be used in a similar manner by injecting commands through the paths parameter.
Remediation
Users can upgrade to Termix version 2.1.0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.