PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000763PacketFencesecuritypublic2009-08-11 09:532012-04-23 11:03
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.0.2Fixed in Version3.0.2 
Summary0000763: Unsanitized user input in web_node_register
DescriptionIn web_node_register inside web.pm, an external command is executed (pfcmd) and user controlled data is passed to it. I think that this info is not sanitized enough and that we can perform command injection there.

sub web_node_register {
    my ( $mac, $pid, %info ) = @_;
    my $logger = Log::Log4perl::get_logger('pf::web');
    my $info;
    foreach my $key ( keys %info ) {
        $info{$key} =~ s/[^0-9a-zA-Z_\*\.\-\:_\;\@\ ]/ /g;
        $info .= $key . '="' . $info{$key} . '",';
    }
    chop($info);
    $logger->info(
        "calling $bin_dir/pfcmd 'manage register $mac \"$pid\" $info'");
    my $cmd = $bin_dir . "/pfcmd 'manage register $mac \"$pid\" $info'";
    my $output = qx/$cmd/;
    return 1;
}

I'm not so sure about this one here but I know that web_node_record_user_agent will pass user agent straight to shell with single quote escaping only.

NOTE: Because of the current architecture (running pfcmd instead of calling inside subs) I am pretty sure this is spreaded all over the place.

I will have to test fesability of exploitation first.
Additional InformationSee http://sial.org/howto/perl/backticks/ [^] for some hints for solutions.
TagsNo tags attached.
fixed in git revision
fixed in mtn revision
Attached Files

- Relationships

-  Notes
(0002634)
obilodeau (reporter)
2012-04-04 11:17

a fix was made earlier, we forgot to update and close this ticket
(0002635)
obilodeau (reporter)
2012-04-04 11:17

made ticket public since it's fixed since a little while

- Issue History
Date Modified Username Field Change
2009-08-11 09:53 obilodeau New Issue
2009-08-19 15:55 obilodeau Status new => assigned
2009-08-19 15:55 obilodeau Assigned To => obilodeau
2010-05-05 09:30 obilodeau Category future => security
2011-01-18 10:03 obilodeau Target Version => 2.0.1
2011-01-26 15:30 obilodeau Target Version 2.0.1 => 2.0.2
2011-03-03 15:19 obilodeau Target Version 2.0.2 => +1
2012-04-04 11:17 obilodeau Note Added: 0002634
2012-04-04 11:17 obilodeau Status assigned => closed
2012-04-04 11:17 obilodeau Resolution open => fixed
2012-04-04 11:17 obilodeau Fixed in Version => 3.0.2
2012-04-04 11:17 obilodeau Note Added: 0002635
2012-04-04 11:17 obilodeau View Status private => public
2012-04-23 11:03 obilodeau Target Version +1 => 3.0.2


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker