It has been fixed in version 1.2.12. In older versions, attackers could inject an arbitrary command as GET or POST request parameter by injecting an image URL in the request. For example, the following command injection scenario would be possible in Packagist: img src="../../../../../Remote/Command/Injection/"> In addition, the AUTH_SESSION_KEY variable would be accessible in the request by injecting a variable named AUTH_SESSION_KEY.
The PRE_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named PRE_INSTALL_COOKIE. The POST_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named POST_INSTALL_COOKIE.

Security Risk of Packagist Command Injection

A command injection vulnerability was found in Packagist. Packagist is a package manager for PHP and its usage in web applications is widespread, ranging from websites to web frameworks. Command injection vulnerabilities are often used as an attack vector in order to inject commands into the system that would otherwise be unavailable.
This vulnerability has been fixed with version 1.2.12 of Packagist.

Exploit

# Exploit Title: Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: NA
# Date: 02/17/2022
# Exploit Author: Chetanya Sharma @AggressiveUser
# Vendor Homepage: https://microweber.org/
# Software Link: https://github.com/microweber/microweber
# Version: 1.2.11
# Tested on: [KALI OS]
# CVE : CVE-2022-0557
# Reference : https://huntr.dev/bounties/660c89af-2de5-41bc-aada-9e4e78142db8/

# Step To Reproduce
- Login using Admin Creds. 
- Navigate to User Section then Add/Modify Users
- Change/Add image of profile and Select a Crafted Image file 
- Crafted image file Aka A image file which craft with PHP CODES for execution  
- File Extension of Crafted File is PHP7 like "Sample.php7"

- Path of Uploaded Crafted SHELL https://localhost/userfiles/media/default/shell.php7

Timeline

Published on: 02/11/2022 09:15:00 UTC
Last modified on: 03/18/2022 21:00:00 UTC

References