Full Report
CyberPanel is a free web hosting control plane. Under the hood, it's a fairly simple Django app. The main purpose of it is setting up services like FTP, SSH, etc. on a box. It has a login screen to prevent everyone from being able to do this of course. While reviewing the code, they noticed that authentication checks were added manually to every API instead of being global through a middleware. From reviewing previous finding, they found an authentication bypass for file upload through a missed authentication check. From reading about previous findings, they determined that command injection and authentication issues were likely. Do your homework kids! Using Semgrep, they stumbled across upgrademysqlstatus. This is missing authentication and executes arbitrary commands on the OS. The best of both worlds! Unfortunately, the command injection didn't work because of a recently added secMiddleware that was doing input validation on inputs to prevent these types of issues. After fuzzing it and trying some Linux tricks they didn't find anything. However, they did notice a funny design flaw with the input validation! secMiddleware was only checking the inputs IF it was a POST request. However, each request in Django can be processed by more than one verb. So, by making an OPTIONS request the verification is bypassed. This means we have a successful pre-auth command injection. They found another variant of this as well. Good write-up! I like that the author did their homework on previous bugs in order to identify pervasive bug patterns in the code base. The bypass for the input validation was quite funny as well.
Analysis Summary
# Vulnerability: Pre-Authentication Command Injection via HTTP OPTIONS Request Bypass
## CVE Details
- CVE ID: CVE-2024-51567, CVE-2024-51568 (Two CVEs assigned, context indicates a RCE related flaw)
- CVSS Score: N/A (Score not explicitly provided in the text, but context suggests **Critical** severity due to pre-auth RCE)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: CyberPanel
- Versions: Up to and including v2.3.6
- Configurations: Any instance accessible over the network where the vulnerable endpoints are reachable.
## Vulnerability Description
The vulnerability resides in the pre-authentication endpoint `upgrademysqlstatus`, which was susceptible to OS Command Injection. Although input validation was implemented via a custom `secMiddleware` to prevent injection, this validation module was **only running when the HTTP request method was POST**.
The flaw allows an attacker to bypass this input validation by sending the malicious request using the `OPTIONS` HTTP verb instead of `POST`. Since the endpoint does not properly check authentication and the input validation is skipped for non-POST requests, arbitrary OS commands can be executed with elevated privileges (implied by the use of `sudo` in related functions in the codebase).
## Exploitation
- Status: PoC available (Exploit script shared in the article)
- Complexity: Low (Requires knowledge of the bypass technique, no authentication needed)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary file read/data exfiltration possible via command execution)
- Integrity: High (System configuration modification, arbitrary code execution for persistence)
- Availability: High (System denial of service or complete compromise)
## Remediation
### Patches
- A patch commit exists: `https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515`
- Users should upgrade to the fixed version where this vulnerability is addressed.
### Workarounds
- Implement a Web Application Firewall (WAF) rule or equivalent network ingress filtering to block non-whitelisted HTTP methods (like `OPTIONS` or others) destined for API endpoints, or specifically target the vulnerable endpoint if known.
- Configure reverse proxy/load balancer to ensure security middleware runs for all relevant HTTP methods, or restrict access to management functions only to trusted sources if temporary defense is needed.
## Detection
- **Indicators of compromise:** Look for unusual HTTP requests using the `OPTIONS` method directed toward API endpoints, especially those that usually expect `POST` (like `upgrademysqlstatus`). Look for execution of system commands via `sudo cat` or similar patterns initiated from unexpected sources.
- **Detection methods and tools:** Network traffic analysis tools or IDS/IPS systems configured to inspect HTTP headers and payload context for unusual method usage on management APIs. Static analysis tools like Semgrep (as used by the researcher) could be adapted to find endpoints missing checks across multiple HTTP verbs.
## References
- Vendor Advisory: CyberPanel blog announcement (Check official channels for the security release referencing CVE-2024-51567/51568)
- Relevant links - defanged: dreyand[dot]rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce[dot]html