Project

General

Profile

Actions

Bug #14809

closed

``packet_capture.php`` uses ``count`` and ``length`` values in command execution without validation or encoding

Added by Jim Pingle 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Packet Capture
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The packet_capture.php page uses the values of count and length when executing tcpdump and it doesn't validate that these parameters are the intended type or encode them before use.

The form type is set to 'number' but that client-side validation does not prevent clients from submitting invalid data.

Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['count'] or $_POST['length'].

Actions #1

Updated by Jim Pingle 7 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Marcos M 6 months ago

  • Status changed from Feedback to Resolved
Actions #3

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions #4

Updated by Jim Pingle 6 months ago

  • Category changed from Diagnostics to Packet Capture
  • Private changed from Yes to No
Actions

Also available in: Atom PDF