1

I am creating a CMS but I do not know how to write the code to get saved from Command Injection. Let me know if there is a RCE vulnerability in my code.

case 'clearcache':
    global $selected_language;
    $url= $_REQUEST['url'];
    $type = $_REQUEST['type'];
    
    if($type && $type == 'full') {
        if($selected_language == 'en'){
            exec('curl -X BAN -H "Host: en.mydomain.com" http://0.0.0.0/*',$output,$return);
        }else{
            exec('curl -X BAN -H "Host: www.mydomain.com" http://0.0.0.0/*',$output,$return);
        }
        echo $return;
        exit;
    }else{
        $parse_url=parse_url($url);
        //echo $parse_url['path'];
        if(isset($parse_url['path'])){
            if($selected_language == 'en'){
                exec('curl -X PURGE -H "Host: en.mydomain.com" http://0.0.0.0'.$parse_url['path'],$output,$return);
            }else{
                exec('curl -X PURGE -H "Host: www.mydomain.com" http://0.0.0.0'.$parse_url['path'],$output,$return);
            }
            echo $return;
            exit;
        }else{
            echo "error";
            exit;
        }
    }       
    break;
}
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
X-HAT
  • 33
  • 1
  • 6
  • 1
    It is a bit weird that `case 'clearcache':` leads you to the powerful option to specify any URL. So a problem might be a DDoS to always rebuild from cache. Hope this is only accessable with a token. – Peter Krebs Jan 03 '22 at 15:46

0 Answers0