Bug #15856
closed
OpenVPN Status Page and Dashboard Widget use input values without validation
100%
Description
When performing operations using the OpenVPN status page (/status_openvpn.php) or the Dashboard widget (/widgets/widgets/openvpn.widget.php), user input from the remipp variable is sent to the OpenVPN management socket without validation. By manipulating the content of this variable it is possible to send additional arbitrary OpenVPN management commands through the management socket.
Output from the OpenVPN management commands is not returned to the user, but the commands can perform actions such as changing the log verboseness or causing the daemon to exit, resulting in a denial of service. Changes made using these commands do not persist across restarts of a OpenVPN daemons.
Values involved in these commands should be checked for proper form and rejected if they do not match the expected format. It may also be beneficial to strip newlines or other control characters from values being sent to the management socket.
Files
Updated by Jim Pingle 6 months ago
- File poc-15856.py poc-15856.py added
Attaching a small POC Python script. Edit and adjust the URL, and credentials, target page, and port to match the setup being tested. It executes a command to terminate the daemon, which is easily confirmed by checking the service status after running the script.
Updated by Jim Pingle 6 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 92a55a0ad8976975b320bdff11f0512f59d3a2ab.
Updated by Jim Pingle 6 months ago
I merged the changes, they are ready for additional testing.
Updated by Jim Pingle 5 months ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Lev Prokofev 5 months ago
Fix working, tested on 24.03
Before fix:
prokleon@pfctl:~$ sudo python3 py.script
|server7|5
signal SIGTERM|-1|
After:
prokleon@pfctl:~$ sudo python3 py.script
invalid input
Updated by Jim Pingle 5 months ago
I'm still waiting to hear back from the original reporter to see if it fixed it for them, too, so keeping this open yet.
Updated by Jim Pingle 5 months ago
- Status changed from Feedback to Resolved
Original reporter responded back that the last round of fixes corrected the problem, so this can be closed now.