Project

General

Profile

Actions

Bug #6475

closed

Potential command injection vulnerability in auth.inc via system_groupmanager.php

Added by Jim Pingle over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
06/09/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:

Description

The members[] array in system_groupmanager.php is not properly validated, and is only protected by single quotes in auth.inc when used, which leads to a potential command injection.

Looking elsewhere in auth.inc there are several calls to pw that have parameters in single quotes rather than using escapeshellarg() like they should, so there may be other vectors as well.

Actions #1

Updated by Jim Pingle over 5 years ago

I pushed some input validation which prevents the reported vector but the backend code needs some more work. The following lines look like they should be making use of escapeshellarg() or similar.

source:src/etc/inc/auth.inc#L428
source:src/etc/inc/auth.inc#L452
source:src/etc/inc/auth.inc#L560
source:src/etc/inc/auth.inc#L624
source:src/etc/inc/auth.inc#L779
source:src/etc/inc/auth.inc#L792

Actions #2

Updated by Jim Pingle over 5 years ago

  • Status changed from Assigned to Feedback

Additional commits address the other uses of commands in auth.inc mentioned above (and some others). I also added input validation when editing groups from system_usermanager.php as well even though it did not appear to be exploitable, the validation was nearly identical to the validation on system_groupmanager.php and nice to have.

Actions #3

Updated by Chris Buechler over 5 years ago

  • Status changed from Feedback to Resolved

all looks good now

Actions #4

Updated by Jim Pingle over 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF