Project

General

Profile

Actions

Bug #6371

closed

Remote command execution via diag_smart.php

Added by Jim Pingle over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Web Interface
Target version:
Start date:
05/19/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.1
Affected Architecture:

Description

When action=config and smartmonemail contains a backticked shell command, it is executed on submit. The parameter does have escapeshellarg() but apparently, at least in this case, the backticks are still being executed.

Attacker still needs to work around CSRF and so on.

To me, I have a fix pending.

Actions

Also available in: Atom PDF