PacketFence - BTS - PacketFence | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000763 | PacketFence | security | public | 2009-08-11 09:53 | 2012-04-23 11:03 |
| Reporter | obilodeau | ||||
| Assigned To | obilodeau | ||||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Platform | OS | OS Version | |||
| Product Version | |||||
| Target Version | 3.0.2 | Fixed in Version | 3.0.2 | ||
| fixed in git revision | |||||
| fixed in mtn revision | |||||
| Summary | 0000763: Unsanitized user input in web_node_register | ||||
| Description | In web_node_register inside web.pm, an external command is executed (pfcmd) and user controlled data is passed to it. I think that this info is not sanitized enough and that we can perform command injection there. sub web_node_register { my ( $mac, $pid, %info ) = @_; my $logger = Log::Log4perl::get_logger('pf::web'); my $info; foreach my $key ( keys %info ) { $info{$key} =~ s/[^0-9a-zA-Z_\*\.\-\:_\;\@\ ]/ /g; $info .= $key . '="' . $info{$key} . '",'; } chop($info); $logger->info( "calling $bin_dir/pfcmd 'manage register $mac \"$pid\" $info'"); my $cmd = $bin_dir . "/pfcmd 'manage register $mac \"$pid\" $info'"; my $output = qx/$cmd/; return 1; } I'm not so sure about this one here but I know that web_node_record_user_agent will pass user agent straight to shell with single quote escaping only. NOTE: Because of the current architecture (running pfcmd instead of calling inside subs) I am pretty sure this is spreaded all over the place. I will have to test fesability of exploitation first. | ||||
| Steps To Reproduce | |||||
| Additional Information | See http://sial.org/howto/perl/backticks/ [^] for some hints for solutions. | ||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2009-08-11 09:53 | obilodeau | New Issue | |||
| 2009-08-19 15:55 | obilodeau | Status | new => assigned | ||
| 2009-08-19 15:55 | obilodeau | Assigned To | => obilodeau | ||
| 2010-05-05 09:30 | obilodeau | Category | future => security | ||
| 2011-01-18 10:03 | obilodeau | Target Version | => 2.0.1 | ||
| 2011-01-26 15:30 | obilodeau | Target Version | 2.0.1 => 2.0.2 | ||
| 2011-03-03 15:19 | obilodeau | Target Version | 2.0.2 => +1 | ||
| 2012-04-04 11:17 | obilodeau | Note Added: 0002634 | |||
| 2012-04-04 11:17 | obilodeau | Status | assigned => closed | ||
| 2012-04-04 11:17 | obilodeau | Resolution | open => fixed | ||
| 2012-04-04 11:17 | obilodeau | Fixed in Version | => 3.0.2 | ||
| 2012-04-04 11:17 | obilodeau | Note Added: 0002635 | |||
| 2012-04-04 11:17 | obilodeau | View Status | private => public | ||
| 2012-04-23 11:03 | obilodeau | Target Version | +1 => 3.0.2 | ||
| Notes | |||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||