CVE-2024-39907
published 2024-07-18CVE-2024-39907: 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.40%
97.9th percentile
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | 1panel | — | — |
| fit2cloud | 1panel | >= 1.10.9-lts < 1.10.12-lts | 1.10.12-lts |
| github.com | 1panel-dev_1panel | >= 0 < 1.10.12-tls | 1.10.12-tls |
Detection & IOCsextracted from sources · hover to see the quote
command3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;↗
- →Exploit traffic targets POST /api/v1/hosts/command/search with a SQL-injected 'orderBy' field containing SQLite ATTACH DATABASE payload; detect the string 'ATTACH DATABASE' in the request body to this endpoint. ↗
- →Successful exploitation produces a response body containing both 'SQL logic error' and 'table exp already exists'; monitor application responses for this combination as a post-exploitation indicator. ↗
- →Authentication to 1Panel uses a custom HTTP header 'EntranceCode' with the static base64 value 'ZW50cmFuY2U='; presence of this header in login requests can fingerprint 1Panel instances and attacker tooling. ↗
- →1Panel instances can be fingerprinted via FOFA using icon hashes or TLS certificate CN; use these to identify exposed attack surface. ↗
- →The login endpoint accepts JSON with 'ignoreCaptcha':true and 'authMethod':'session'; automated exploit tools will consistently send these fields — use them as a detection signal on the /api/v1/auth/login endpoint. ↗
- ·The vulnerability requires authentication (valid session cookie 'psession' must be present from a prior login); exploitation is a two-step HTTP sequence: login first, then inject via the search endpoint. ↗
- ·The SQL injection payload leverages SQLite's ATTACH DATABASE to write arbitrary files to /tmp on the server; the written filename is randomised per request, so file-based IOCs should use the /tmp/*.txt pattern rather than a fixed name. ↗
- ·The CVSS score of 9.8 (PR:N) in the template metadata conflicts with the 'Authenticated' classification; the NVD entry and template both note authentication is required, so the PR:N score may be inaccurate — treat this as an authenticated critical vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
osv·2024-07-22
CVE-2024-39907 1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.
GHSA
1Panel has an SQL injection issue related to the orderBy clause
ghsa·2024-07-18
CVE-2024-39907 [CRITICAL] CWE-89 1Panel has an SQL injection issue related to the orderBy clause
1Panel has an SQL injection issue related to the orderBy clause
### Summary
There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows
### Details (one of them )
### PoC
curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"}
for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering
### Impact
RCE、data leak.
OSV
1Panel has an SQL injection issue related to the orderBy clause
osv·2024-07-18
CVE-2024-39907 [CRITICAL] 1Panel has an SQL injection issue related to the orderBy clause
1Panel has an SQL injection issue related to the orderBy clause
### Summary
There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows
### Details (one of them )
### PoC
curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"}
for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering
### Impact
RCE、data leak.
No detection rules found.
Nuclei
1Panel SQL Injection - Authenticated
nuclei·CVSS 9.8
CVE-2024-39907 [CRITICAL] 1Panel SQL Injection - Authenticated
1Panel SQL Injection - Authenticated
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
Template:
id: CVE-2024-39907
info:
name: 1Panel SQL Injection - Authenticated
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolve
No writeups or analysis indexed.
2024-07-18
Published