Описание
1Panel arbitrary file write vulnerability
Summary
An arbitrary file write vulnerability could lead to direct control of the server
Details
Arbitrary file creation
In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:
- Vulnerable Code
PoC
- We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.
-
The server was successfully written to the public key
-
Successfully connected to the target server using an SSH private key.
As a result, the server is directly controlled, causing serious harm
Impact
1Panel v1.4.3
Пакеты
github.com/1Panel-dev/1Panel
= 1.4.3
1.5.0
Связанные уязвимости
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.