Anonymous | Login | 2024-11-23 02:33 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0000763 | PacketFence | security | public | 2009-08-11 09:53 | 2012-04-23 11:03 | |||
Reporter | obilodeau | |||||||
Assigned To | obilodeau | |||||||
Priority | normal | Severity | major | Reproducibility | have not tried | |||
Status | closed | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Product Version | ||||||||
Target Version | 3.0.2 | Fixed in Version | 3.0.2 | |||||
Summary | 0000763: Unsanitized user input in web_node_register | |||||||
Description | In web_node_register inside web.pm, an external command is executed (pfcmd) and user controlled data is passed to it. I think that this info is not sanitized enough and that we can perform command injection there. sub web_node_register { my ( $mac, $pid, %info ) = @_; my $logger = Log::Log4perl::get_logger('pf::web'); my $info; foreach my $key ( keys %info ) { $info{$key} =~ s/[^0-9a-zA-Z_\*\.\-\:_\;\@\ ]/ /g; $info .= $key . '="' . $info{$key} . '",'; } chop($info); $logger->info( "calling $bin_dir/pfcmd 'manage register $mac \"$pid\" $info'"); my $cmd = $bin_dir . "/pfcmd 'manage register $mac \"$pid\" $info'"; my $output = qx/$cmd/; return 1; } I'm not so sure about this one here but I know that web_node_record_user_agent will pass user agent straight to shell with single quote escaping only. NOTE: Because of the current architecture (running pfcmd instead of calling inside subs) I am pretty sure this is spreaded all over the place. I will have to test fesability of exploitation first. | |||||||
Additional Information | See http://sial.org/howto/perl/backticks/ [^] for some hints for solutions. | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | ||||||||
Attached Files | ||||||||
Notes | |
(0002634) obilodeau (reporter) 2012-04-04 11:17 |
a fix was made earlier, we forgot to update and close this ticket |
(0002635) obilodeau (reporter) 2012-04-04 11:17 |
made ticket public since it's fixed since a little while |
Issue History | |||
Date Modified | Username | Field | Change |
2009-08-11 09:53 | obilodeau | New Issue | |
2009-08-19 15:55 | obilodeau | Status | new => assigned |
2009-08-19 15:55 | obilodeau | Assigned To | => obilodeau |
2010-05-05 09:30 | obilodeau | Category | future => security |
2011-01-18 10:03 | obilodeau | Target Version | => 2.0.1 |
2011-01-26 15:30 | obilodeau | Target Version | 2.0.1 => 2.0.2 |
2011-03-03 15:19 | obilodeau | Target Version | 2.0.2 => +1 |
2012-04-04 11:17 | obilodeau | Note Added: 0002634 | |
2012-04-04 11:17 | obilodeau | Status | assigned => closed |
2012-04-04 11:17 | obilodeau | Resolution | open => fixed |
2012-04-04 11:17 | obilodeau | Fixed in Version | => 3.0.2 |
2012-04-04 11:17 | obilodeau | Note Added: 0002635 | |
2012-04-04 11:17 | obilodeau | View Status | private => public |
2012-04-23 11:03 | obilodeau | Target Version | +1 => 3.0.2 |
Copyright © 2000 - 2012 MantisBT Group |