FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
The _log() function in src/juniper_plugin/fastnetmon_juniper.php file (lines 117–118) constructs shell commands by directly concatenating the $msg parameter with the exec() call: exec("echo `date` \"- [FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unvalidated data from command-line arguments argv[1]–argv[3], which represent the attack IP address, traffic direction, and attack strength. The PHP script performs no input validation or shell argument escaping, enabling arbitrary command injection. The vulnerability is active when the script is invoked directly, called by an external orchestration system, or after any potential future code changes passing data other than safe decimal-dot notation.
An attacker who can control arguments passed to the PHP script can execute arbitrary system commands in the context of the process permissions, which may lead to full server takeover, data disclosure, and violation of system integrity and availability.
Apply patches available from the vendor according to references. As a temporary workaround, it is recommended to replace the exec() call with file_put_contents() function or apply escapeshellarg() to all input parameters. You should also restrict the ability to directly invoke the PHP script by unauthorized systems or users.
FastNetMon Community Edition versions up to 1.2.9 (inclusive), with active Juniper plugin integration (file src/juniper_plugin/fastnetmon_juniper.php)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPavel Odintsov Fastnetmon
APPPavel-Odintsov≤ 1.2.9
Related vulnerabilities
FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow
Stack buffer overflow w FastNetMon — RCE przez BGP NLRI
FastNetMon: off-by-one heap buffer overflow umożliwiający RCE
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...
FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...