Description
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.
Problem types
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Product status
Any version before 1.9.5
Credits
Djibril Mounkoro
References
github.com/hestiacp/hestiacp/releases/tag/1.9.5 (Release Notes)
github.com/hestiacp/hestiacp/pull/5197 (Pull Request)
github.com/...ommit/a74babb739aa92e52b12d6ef52b6b9428ffbbb67 (Patch Commit)
www.vulncheck.com/...and-injection-via-dns-record-management