Vulnerability in JumpScale Portal 7 (CVE-2018–1000666)
In method notifySpaceModification
we can send any text in the owner
field that will be added to the command cmd=”cd /opt/code/%s/%s;hg pull;hg update -C”%(owner,name)
and executed after string formatting.
Using ;{cmd}#
as an owner
field value we can execute any command on server.
It was fixed by removing deprecated methods: https://github.com/jumpscale7/jumpscale_portal/pull/108
You can see reverse shell example with payload on git: https://github.com/0-complexity/openvcloud/issues/1207