Project

General

Profile

Actions
Copy link

Bug #13425

closed

Invalid alias name can still be used by code attempting to validate URL table content

Added by Jim Pingle over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Aliases / Tables
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When validating an alias on save, the name is checked for validity, however the name is still used during validation by process_alias_urltable().

The name is used as-is for a filename which means it may include invalid components such as ../, | and other characters to traverse paths and create arbitrary files.

Actions
Copy link
 #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions
Copy link
 #3

Updated by Jordan G about 2 years ago

when attempting to save an alias in 23.01.a.20221111.0600 include an additional / at the end of a URL results in


PHP ERROR: Type: 1, File: /etc/inc/util.inc, Line: 3863, Message: Maximum execution time of 900 seconds exceeded @ 2022-11-12 18:00:31
Actions
Copy link
 #4

Updated by Jim Pingle almost 2 years ago

Jordan Greene wrote in #note-3:

when attempting to save an alias in 23.01.a.20221111.0600 include an additional / at the end of a URL results in

[...]

That was unrelated to this, it was a separate regression. See #13685

Actions
Copy link
 #5

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Attempting a previously working exploit no longer creates an arbitrary file. Marking resolved.

Actions
Copy link
 #6

Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF