Improper handling of input value leads to Remote Code Execution or Denial of Service in nilsteampassnet/teampass
Jun 17th 2023
Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack.
Proof of Concept
Go to Settings -> MFA -> Duo Security function, input this payload:
',); phpinfo(); ?>// on the "Client ID" field
Enter for save then click on another tab. Observed that an error shows up and the php code was successfully injected and executed.
An authenticated Admin can achieve a full remote command execution on the OS level under the web server user.