Project

General

Profile

Actions

Bug #15135

closed

Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism

Added by Jim Pingle 9 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When the DNS Resolver Python Module function is enabled and a Python Module Script is present, the system also looks for a PHP file to include for additional related functions. The filename for this code starts with the same name as the Python script and ends with _include.inc appended.

Though the python script is tested/validated by Unbound to ensure it is viable, the PHP include is handled separately. It's also not cleaned up to ensure it doesn't traverse paths.

The code should not only make sure the submitted name is a valid and present Python script, but it should also clean it up so it is only a filename (not a path) since that isn't necessary here.

To do anything with this the user has to be logged in, able to write files with a specific name somewhere on the firewall, and have access to the DNS Resolver settings, which makes the barrier fairly high.

Actions #1

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

The added validation prevents any possible means to exploit this, I can't reproduce the original problem on current builds.

Actions #3

Updated by Jim Pingle 5 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF