Project

General

Profile

Actions

Bug #14549

closed

Interface value is not properly validated when submitted on ``interfaces_gif_edit.php`` and ``interfaces_gre_edit.php``

Added by Jim Pingle 10 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When submitting a form on interfaces_gif_edit.php and interfaces_gre_edit.php the page takes an optional value for the interface, either gifif or greif depending on the page. This is meant to contain the interface name of an existing interface, but the value is not validated before use. This value is passed to either interface_gif_configure() or interface_gre_configure() where it is used in shell commands.

Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['gifif'] such as "; touch somefile; #".

The user must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php.

Similar to #14052, the input should be validated and the interface should also be escaped when used in commands.

Actions #1

Updated by Jim Pingle 10 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

Problem can easily be reproduced on Plus 23.05.1 and CE 2.7.0, but cannot be reproduced on dev snapshots (CE or Plus). Fix appears to be working as expected.

Actions #4

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions #5

Updated by Jim Pingle 6 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF