CVE-2022-44019 – Total js 4 design weakness (30th Oct 2022)

Preface: A microframework is a term used to refer to minimalistic web application frameworks. It is contrasted with full-stack frameworks. Typically, a microframework facilitates receiving an HTTP request, routing the HTTP request to the appropriate controller, dispatching the controller, and returning an HTTP response. Microframeworks are often specifically designed for building the APIs for another service or application.

Background: Total js framework and Total js client-side UI library are without any 3rd party dependencies. Total.js framework is a server-side MVC framework written in pure JavaScript and fully optimized for Node js runtime. Software developers can use any NPM module (like PostgreSQL, MongoDB, REDIS, JWT, etc.) or existing client-side libraries (like D3, Chart js, FullCalendar, Vue, Angular, etc.).
Total js Platform supports three types of visual programming interfaces:

  • Total js Flow targeted primary for IoT applications (alternative Node-red)
  • Total js AppBuilder for creating rich server-side API applications
  • Total js Designer for creating UI connected to 3rd party REST services

Vulnerability details: In Total js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-44019

Causes: The fact is that the server doesn’t sanitize correctly the input checking that the host provided is a legitimate one.

Ref: Even if the software developer sets the correct regular expressions. The following details also need to be considered.
The ping command returns an exit code on both operating systems. On Linux (Bash) you have $? to get the variable for this exit code, on Windows it’s %errorlevel%. The exit code is 0 on both operating systems when the ping is successful, and 1 otherwise. This value can be used to conditionally run your command.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.