Project

General

Profile

Actions
Copy link

Bug #13426

closed

``status.php`` uses ``<name>`` component of ``/tmp/rules.packages.<name>`` filenames in shell command without encoding

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Diagnostics
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If there is a file named /tmp/rules.packages.|<command>|.txt, then when an authenticated GUI user loads status.php, the GUI executes <command>.

In combination with another bug that lets users write arbitrary files, such as #13425, a user with sufficient privileges to access status.php could run a command directly or trick another administrator with privileges into running a command.

The commands which work here are of limited use as other characters which might make it more useful also make it fail to trigger. Furthermore, status.php is not linked in the GUI and is typically only run under direction of TAC, so opportunity for exploitation is fairly low.

Actions
Copy link
 #1

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions
Copy link
 #3

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Can't reproduce on snapshots. Marking resolved.

Actions
Copy link
 #4

Updated by Jim Pingle about 1 year ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF