Summary

Arbitrary commands can be injected when installing DokuWiki.

Description

Authenticated as “User” role users can inject commands. Injected commands are running as “admin” user.

Prerequisite

1. Any user access
2. php 7.4 must be installed in order to install dokuwiki (only admin can install php7.4)

Vulnerable Parts;

https://github.com/hestiacp/hestiacp/blob/1084a16e7d680235f6ac8c45bd845da35f3dc970/web/src/app/WebApp/Installers/DokuWiki/DokuWikiSetup.php#L88

Attackers can inject commands with $options['wiki_name'] and other $options['XXX'] variables.

Proof of Concept

[1] login to panel with user account.

[2] Open WEB tab. https://XX.XX.XX.XX:8083/list/web/

[3] Click “Add Web Domain”

[4] Enter random domain to domain field and save.

[5] In the “Edit Web Domain” page click “Quick Install App”

[6] Click “Setup” button in DokuWiki

[7] All fields are vulnerable, enter payload to “Wiki Name” field and fill other fields then click install button.

// payload

aa';  echo "injected" > /tmp/test; id >> /tmp/test ; echo '1

[9] Wait 10 sec

/tmp/test

injected
uid=1001(admin) gid=1001(admin) groups=1001(admin)

PoC Video

https://drive.google.com/file/d/1wNuGVhsnhmhvUcUa8-LKekuL3DbO4smA/view?usp=sharing