Description of Vulnerability in JumpScale Portal 7

Description of Vulnerability in JumpScale Portal 7

V-Rico (BI.ZONE)

UPDATE: Got a CVE-ID (CVE-2018-1000666)

Twitter

Description

In method https://github.com/jumpscale7/jumpscale_portal/blob/c997bb1824862b08246d60e34e950df06ebac68c/apps/portalbase/system/system__contentmanager/methodclass/system_contentmanager.py#L293-L315 we can send any text in owner field that will be added to the command cmd="cd /opt/code/%s/%s;hg pull;hg update -C"%(owner,name) and executed after string formatting.

Using ;{cmd}# as owner we can execute any command on server

It was fixed by removing old methods: https://github.com/jumpscale7/jumpscale_portal/pull/108

You can see reverse shell at issue on git with payload: https://github.com/0-complexity/openvcloud/issues/1207


LinkedIn: https://www.linkedin.com/in/valery-tyukhmenev/
BI.ZONE: https://bi.zone/
Twitter: @VRico315
Instagram: @VRico315