CVE-2023-30260: 
PHP vulnerability analysis and mitigation

Command injection vulnerability (CVE-2023-30260) was discovered in RaspAP raspap-webgui versions 2.8.8 and earlier. The vulnerability was identified in March 2023 and allows remote attackers to execute arbitrary commands via crafted POST requests to the hostapd settings form. The affected software, RaspAP, is a web interface for managing Raspberry Pi-based wireless access points (NVD, Security Advisory).

The vulnerability exists due to improper sanitization of user input in multiple locations, specifically in hostapd.php (lines 103 and 108) and configure_client.php (line 20). The issue stems from unsanitized POST variables being directly fed into commands executed using exec(). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability (NVD, Security Advisory).

An authenticated attacker can execute arbitrary commands with the privileges of the web server (www-data). In the default RaspAP configuration, this vulnerability can be leveraged to gain root access by exploiting configured sudo permissions. The attacker can achieve this by overwriting the OpenVPN client configuration and establishing an OpenVPN connection, allowing execution of arbitrary scripts with root privileges (Security Advisory).

The vulnerability has been patched in RaspAP version 2.8.9. The fix involves applying proper sanitization to the txpower and interface parameters using PHP's built-in escapeshellarg() function before passing them to exec(). Users are advised to upgrade to version 2.8.9 or later to protect against this vulnerability (GitHub PR, Security Advisory).