1Panel arbitrary file write vulnerability

GHSA-hf7j-xj3w-87g4 · CVE-2023-39966 · GO-2023-2006

Published Aug 10, 2023 · Modified Aug 21, 2024

Description

Summary

An arbitrary file write vulnerability could lead to direct control of the server

Details

Arbitrary file creation

In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:

Vulnerable Code

微信图片_20230801092544

PoC

We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.

微信图片_20230801093243

The server was successfully written to the public key
Successfully connected to the target server using an SSH private key.

As a result, the server is directly controlled, causing serious harm

Impact

1Panel v1.4.3

References

WEB https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-39966
PACKAGE https://github.com/1Panel-dev/1Panel
WEB https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes