[PR #223] [MERGED] Fixed command injection vulnerability within report function #238

New issue

Closed

opened 2026-02-25 20:35:01 +03:00 by kerem · 0 comments

kerem commented 2026-02-25 20:35:01 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/B16f00t/whapa/pull/223
Author: @1d8
Created: 11/4/2024
Status: ✅ Merged
Merged: 11/5/2024
Merged by: @B16f00t

Base: master ← Head: master

---

📝 Commits (1)

• d3b14bd Fixed command injection vulnerability within report function

📊 Changes

1 file changed (+2 additions, -1 deletions)

View changed files

📝 whapa-gui.py (+2 -1)

📄 Description

This PR fixes a command injection vulnerability within the report() function.

Vulnerability information:
When opening HTML reports within Whapa, a specially crafted filename could be used to gain command injection on Linux systems due to how the filename is immediately passed to os.system(xdg-open <filename>) without sanitization.

Proof of Concept

A specially crafted filename can be created via the following command: touch 'report"; touch exploit.txt; ".html'. Then within Whapa, select Open Report & open up the file we just created. After erroring out, our exploit.txt file will then be created.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/B16f00t/whapa/pull/223 **Author:** [@1d8](https://github.com/1d8) **Created:** 11/4/2024 **Status:** ✅ Merged **Merged:** 11/5/2024 **Merged by:** [@B16f00t](https://github.com/B16f00t) **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (1) - [`d3b14bd`](https://github.com/B16f00t/whapa/commit/d3b14bd3a4924556ac99dc30ec6b1aeec2fef025) Fixed command injection vulnerability within report function ### 📊 Changes **1 file changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `whapa-gui.py` (+2 -1) </details> ### 📄 Description This PR fixes a command injection vulnerability within the report() function. Vulnerability information: When opening HTML reports within Whapa, a specially crafted filename could be used to gain command injection on Linux systems due to how the filename is immediately passed to `os.system(xdg-open <filename>)` without sanitization. ## Proof of Concept A specially crafted filename can be created via the following command: `touch 'report"; touch exploit.txt; ".html'`. Then within Whapa, select *Open Report* & open up the file we just created. After erroring out, our `exploit.txt` file will then be created. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-02-25 20:35:01 +03:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

claude/mi-codigo-e-011CV6Hk8Vi2ELMfFXpjTHZg

No results found.

Labels

Clear labels   

enhancement

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

No labels

enhancement

help wanted

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/whapa#238

No description provided.