Description
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
Problem types
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Product status
Any version before 3.0.1
Credits
Hacker Fantastic
References
github.com/horde/Vfs/releases/tag/v3.0.1 (Release Notes)
github.com/horde/Vfs/pull/10 (Fix PR)
github.com/...ommit/41f74b4acfc144e09013d04dd121e0a5da808361 (Fix Commit)
www.vulncheck.com/...mand-injection-via-horde-vfs-smb-driver