Summary When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel without logging in. In addition to this remote code execution (RCE) vulnerability, the flawed code also leads to unauthorized access. Details In Go, r.URL.Path retrieves the part of the URL that comes after the port and before the query parameters or anchor symbols. For example, in the URL https://localhost:8080/api/ws/ssh?id=1, the retrieved path would be /api/ws/ssh. However, if the request is made to https://localhost:8080//api/ws/ssh?id=1, the parsed r.URL.Path would be //api/ws/ssh. RatPanel uses the CleanPath middleware provided by github.com/go-chi/chi package to clean URLs, The route path inside the chi router will be cleaned to /api/ws/ssh, but this middleware does not process r.URL.Path, so the path is still //api/ws/ssh. In the must login middleware, RatPanel uses r.URL.Path to match the hard-coded prefix whitelist, because /api/ws does not match //api/ws. The must login middleware will allow the request, but //api/ws has been cleaned to /api/ws in the chi router. This inconsistency leads to authentication bypass and accessing the dangerous interfaces such as /api/ws/exec and /api/ws/ssh. But there are some limitations. Before exploiting this interface, the attacker must first identify the correct backend address of ratpanel to activate…Read More
PT-2025-31881 · Go · Github.Com/Tnborg/Panel
