CVE-2023-39966 - Arbitrary File Write Vulnerability in 1Panel Version 1.4.3

Summary: 1Panel, an open-source Linux server operation and maintenance management panel, suffers from an arbitrary file write vulnerability in version 1.4.3 whereas version 1.5. contains a patch for the issue. The vulnerability, tracked as CVE-2023-39966, can lead to complete server control if successfully exploited.

Introduction

1Panel has rapidly become a popular open-source Linux server operation and maintenance management panel owing to its rich features and user-friendly interface. However, a concerning security vulnerability was discovered in version 1.4.3. This vulnerability, assigned the identifier CVE-2023-39966, allows an attacker to write arbitrary files. Consequently, this could lead to the attacker gaining complete control of the server.

In this post, we will be discussing the details surrounding the vulnerability, including the vulnerable code, the exploit, and the mitigation measures. Moreover, we will explain how to identify if you are affected by the vulnerability and what steps you should take to secure your server.

Vulnerable code and exploit details

The arbitrary file write vulnerability in 1Panel version 1.4.3 is caused by a lack of parameter filtering. The SaveContent() function, located in the api/v1/file.go file, essentially allows an attacker to write a file with arbitrary contents, which could lead to server control.

The issue lies within this code snippet

func SaveContent(c *gin.Context) {
    var contentContent model.ContentContent
    _ = c.ShouldBindJSON(&contentContent)
    utils.WriteToFile(contentContent.Path, contentContent.Content)
    c.JSON(http.StatusOK, model.ApiResult{Result: true, Data: contentContent, Msg: "ok"})
}

An attacker could send a malicious POST request with JSON data to exploit this vulnerability. The lack of filtering in the code allows the attacker to write a file with arbitrary content, ultimately leading to possible server control.

Original references

For researchers who would like to study the impact of this vulnerability in depth, we recommend referring to the following original resources:

- 1Panel GitHub repository
- CVE-2023-39966 - National Vulnerability Database

How to know if you are affected and how to protect yourself

If you are using 1Panel version 1.4.3, your server is vulnerable to this arbitrary file write vulnerability. The 1Panel team has already released a patch for this issue in version 1.5.. Therefore, we highly recommend updating your 1Panel service to the latest version (1.5. or newer) as soon as possible.

To update 1Panel, follow the instructions as detailed in the official 1Panel documentation.

Conclusion

CVE-2023-39966 represents a severe vulnerability in 1Panel version 1.4.3, posing risks for organizations and their server environments. By using the information provided in this post, you can identify if you're affected and take the necessary steps to protect your server. Remember, always be cautious and keep your server software updated to avoid newly discovered security vulnerabilities.

Timeline

Published on: 08/10/2023 18:15:00 UTC
Last modified on: 09/08/2023 16:56:00 UTC