Project

General

Profile

Actions
Copy link

Bug #6371

closed

Remote command execution via diag_smart.php

Added by Jim Pingle almost 8 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Jim Pingle
Category:
Web Interface
Target version:
2.3.1-p1
Start date:
05/19/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.1
Affected Architecture:

Description

When action=config and smartmonemail contains a backticked shell command, it is executed on submit. The parameter does have escapeshellarg() but apparently, at least in this case, the backticks are still being executed.

Attacker still needs to work around CSRF and so on.

To me, I have a fix pending.

Actions
Copy link
 #1

Updated by Jim Pingle almost 8 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved

I can't break either page with the new code, and I looked throughout the rest of the code base for any other similar vectors, but could not find any. Looks good to me with the new code.

Actions
Copy link
 #3

Updated by Chris Buechler almost 8 years ago

  • Target version changed from 2.3.2 to 2.3.1-p1
Actions
Copy link
 #4

Updated by Jim Pingle about 7 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF