Bug #13426
closed``status.php`` uses ``<name>`` component of ``/tmp/rules.packages.<name>`` filenames in shell command without encoding
100%
Description
If there is a file named /tmp/rules.packages.|<command>|.txt
, then when an authenticated GUI user loads status.php
, the GUI executes <command>
.
In combination with another bug that lets users write arbitrary files, such as #13425, a user with sufficient privileges to access status.php
could run a command directly or trick another administrator with privileges into running a command.
The commands which work here are of limited use as other characters which might make it more useful also make it fail to trigger. Furthermore, status.php
is not linked in the GUI and is typically only run under direction of TAC, so opportunity for exploitation is fairly low.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 4d9dd165e471394bb2ca520d56f8d8f9a82bb99a.
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to Resolved
Can't reproduce on snapshots. Marking resolved.