Project

General

Profile

Actions

Bug #14549

closed

Interface value is not properly validated when submitted on ``interfaces_gif_edit.php`` and ``interfaces_gre_edit.php``

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When submitting a form on interfaces_gif_edit.php and interfaces_gre_edit.php the page takes an optional value for the interface, either gifif or greif depending on the page. This is meant to contain the interface name of an existing interface, but the value is not validated before use. This value is passed to either interface_gif_configure() or interface_gre_configure() where it is used in shell commands.

Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['gifif'] such as "; touch somefile; #".

The user must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php.

Similar to #14052, the input should be validated and the interface should also be escaped when used in commands.

Actions

Also available in: Atom PDF