Project

General

Profile

Actions
Copy link

Bug #6371

closed

Remote command execution via diag_smart.php

Added by Jim Pingle almost 10 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Jim Pingle
Category:
Web Interface
Target version:
2.3.1-p1
Start date:
05/19/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.1
Affected Architecture:

Description

When action=config and smartmonemail contains a backticked shell command, it is executed on submit. The parameter does have escapeshellarg() but apparently, at least in this case, the backticks are still being executed.

Attacker still needs to work around CSRF and so on.

To me, I have a fix pending.

Actions
Copy link
 #1

Updated by Jim Pingle almost 10 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:335f1a8977cf0f711c712864379773e410e996a5.

Actions
Copy link
 #2

Updated by Jim Pingle almost 10 years ago

  • Status changed from Feedback to Resolved

I can't break either page with the new code, and I looked throughout the rest of the code base for any other similar vectors, but could not find any. Looks good to me with the new code.

Actions
Copy link
 #3

Updated by Chris Buechler almost 10 years ago

  • Target version changed from 2.3.2 to 2.3.1-p1
Actions
Copy link
 #4

Updated by Jim Pingle about 9 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF