Bug #14549
closed
Interface value is not properly validated when submitted on ``interfaces_gif_edit.php`` and ``interfaces_gre_edit.php``
100%
Description
When submitting a form on interfaces_gif_edit.php and interfaces_gre_edit.php the page takes an optional value for the interface, either gifif or greif depending on the page. This is meant to contain the interface name of an existing interface, but the value is not validated before use. This value is passed to either interface_gif_configure() or interface_gre_configure() where it is used in shell commands.
Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['gifif'] such as "; touch somefile; #".
The user must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php.
Similar to #14052, the input should be validated and the interface should also be escaped when used in commands.
Updated by Jim Pingle 10 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset d69d6c8424ab4299234fb5ec6964682e2e6cbcdd.
Updated by Jim Pingle 8 months ago
- Status changed from Feedback to Resolved
Problem can easily be reproduced on Plus 23.05.1 and CE 2.7.0, but cannot be reproduced on dev snapshots (CE or Plus). Fix appears to be working as expected.