Summary
An arbitrary file write vulnerability could lead to direct control of the server
Details
Arbitrary file creation
In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:
PoC
- We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.
As a result, the server is directly controlled, causing serious harm
Impact
1Panel v1.4.3
darkfive2022 Reporter
Summary
An arbitrary file write vulnerability could lead to direct control of the server
Details
Arbitrary file creation
In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:
PoC
The server was successfully written to the public key
Successfully connected to the target server using an SSH private key.
As a result, the server is directly controlled, causing serious harm
Impact
1Panel v1.4.3