Project

General

Profile

Actions
Copy link

Bug #16743

closed

``isvalidpid()`` function does not properly check or escape PID file parameter

Added by Jim Pingle 23 days ago. Updated 1 day ago.

Status:
Closed
Priority:
High
Assignee:
Jim Pingle
Category:
Services
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The isvalidpid() function takes a $pidfile parameter and executes a shell command using that parameter without checking if the file exists first or escaping the file before execution.

As a consequence, it is possible in certain circumstances for an authenticated user to pass parameters to the function resulting in command execution.

A specific example is stopping an OpenVPN service via status_services.php. The code that handles stopping the service uses the id parameter when forming a PID file path, and since that value is not fully validated, a malicious value can trigger command execution.

Users must be authenticated and have privileges to access status_services.php to trigger the issue in that manner.

Simple POC attached.

Files

poc-isvalidpid-exec.py (1.16 KB) poc-isvalidpid-exec.py Jim Pingle, 03/11/2026 06:27 PM
Actions
Copy link
 #2

Updated by Jim Pingle 22 days ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:54b03ca353a5e6ae14c91ed19bfe30f76493d7e9.

Actions
Copy link
 #3

Updated by Jim Pingle 21 days ago

  • Plus Target Version changed from 26.07 to 26.03
Actions
Copy link
 #4

Updated by Jim Pingle 15 days ago

  • Status changed from Feedback to Closed

I can't reproduce this against any current dev snapshots or patched instances. Looks good, closing.

Actions
Copy link
 #5

Updated by Jim Pingle 1 day ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF