CVE-2021-42897
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on FeMiner wms V1.0 systems by exploiting improper input validation in the datarec.php file. Attackers can achieve full system compromise by injecting malicious commands through the r_name parameter. All systems running FeMiner wms V1.0 with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- FeMiner wms
📦 What is this software?
Feminer Wms by Feminer Wms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining root/administrator privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthorized command execution leading to data theft, system disruption, and lateral movement within the network.
If Mitigated
Limited impact with proper input validation, command sanitization, and network segmentation preventing exploitation.
🎯 Exploit Status
Exploitation requires only a simple HTTP POST request with malicious payload. The GitHub issue demonstrates the vulnerability clearly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check for official patches from FeMiner developers. 2. If no patch exists, implement workarounds immediately. 3. Consider migrating to alternative software if maintenance has been abandoned.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd proper input validation and sanitization to the datarec.php file to prevent command injection.
Edit /wms/src/system/datarec.php and replace vulnerable exec() call with sanitized version using escapeshellarg() or similar functions.
Web Application Firewall Rules
allImplement WAF rules to block malicious patterns in POST requests to datarec.php.
Add WAF rule: Block requests to /wms/src/system/datarec.php containing shell metacharacters (;, |, &, $, `) in POST parameters.
🧯 If You Can't Patch
- Network segmentation: Isolate FeMiner wms systems from internet and restrict internal access to authorized users only.
- Disable vulnerable endpoint: Remove or rename datarec.php file if functionality is not critical.
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /wms/src/system/datarec.php with r_name parameter containing a harmless command like 'whoami' or 'echo test' and check if it executes.Check Version:
Check application version in configuration files or interface. For FeMiner wms, examine version indicators in the software interface or documentation.Verify Fix Applied:
After applying fixes, attempt the same test and verify commands are not executed. Check that input validation properly sanitizes the r_name parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to datarec.php with shell commands in parameters
- System logs showing unexpected command execution from web server user
- Web server logs with suspicious patterns in r_name parameter values
Network Indicators:
- HTTP POST requests to /wms/src/system/datarec.php containing shell metacharacters or command strings
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server" AND uri="/wms/src/system/datarec.php" AND (POST_param="r_name" AND POST_value MATCHES "[;&|`$]" OR POST_value CONTAINS "cmd" OR POST_value CONTAINS "sh")