Bug #6475
closed
Potential command injection vulnerability in auth.inc via system_groupmanager.php
0%
Description
The members[] array in system_groupmanager.php is not properly validated, and is only protected by single quotes in auth.inc when used, which leads to a potential command injection.
Looking elsewhere in auth.inc there are several calls to pw that have parameters in single quotes rather than using escapeshellarg() like they should, so there may be other vectors as well.
Updated by Jim Pingle over 8 years ago
I pushed some input validation which prevents the reported vector but the backend code needs some more work. The following lines look like they should be making use of escapeshellarg() or similar.
source:src/etc/inc/auth.inc#L428
source:src/etc/inc/auth.inc#L452
source:src/etc/inc/auth.inc#L560
source:src/etc/inc/auth.inc#L624
source:src/etc/inc/auth.inc#L779
source:src/etc/inc/auth.inc#L792
Updated by Jim Pingle over 8 years ago
- Status changed from Assigned to Feedback
Additional commits address the other uses of commands in auth.inc mentioned above (and some others). I also added input validation when editing groups from system_usermanager.php as well even though it did not appear to be exploitable, the validation was nearly identical to the validation on system_groupmanager.php and nice to have.
Updated by Chris Buechler over 8 years ago
- Status changed from Feedback to Resolved
all looks good now