Bug #15135
closed
Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism
100%
Description
When the DNS Resolver Python Module function is enabled and a Python Module Script is present, the system also looks for a PHP file to include for additional related functions. The filename for this code starts with the same name as the Python script and ends with _include.inc appended.
Though the python script is tested/validated by Unbound to ensure it is viable, the PHP include is handled separately. It's also not cleaned up to ensure it doesn't traverse paths.
The code should not only make sure the submitted name is a valid and present Python script, but it should also clean it up so it is only a filename (not a path) since that isn't necessary here.
To do anything with this the user has to be logged in, able to write files with a specific name somewhere on the firewall, and have access to the DNS Resolver settings, which makes the barrier fairly high.
Updated by