Bug #15135
closedPotential local file include vulnerability via DNS Resolver Python Module Script include mechanism
100%
Description
When the DNS Resolver Python Module function is enabled and a Python Module Script is present, the system also looks for a PHP file to include for additional related functions. The filename for this code starts with the same name as the Python script and ends with _include.inc
appended.
Though the python script is tested/validated by Unbound to ensure it is viable, the PHP include is handled separately. It's also not cleaned up to ensure it doesn't traverse paths.
The code should not only make sure the submitted name is a valid and present Python script, but it should also clean it up so it is only a filename (not a path) since that isn't necessary here.
To do anything with this the user has to be logged in, able to write files with a specific name somewhere on the firewall, and have access to the DNS Resolver settings, which makes the barrier fairly high.
Updated by Jim Pingle 9 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 12cbb18a93c1f78e05806b6d3c90511e8967f43f.
Updated by Jim Pingle 6 months ago
- Status changed from Feedback to Resolved
The added validation prevents any possible means to exploit this, I can't reproduce the original problem on current builds.