Project

General

Profile

Bug #6475

Potential command injection vulnerability in auth.inc via system_groupmanager.php

Added by Jim Pingle over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
06/09/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.x
Affected Architecture:

Description

The members[] array in system_groupmanager.php is not properly validated, and is only protected by single quotes in auth.inc when used, which leads to a potential command injection.

Looking elsewhere in auth.inc there are several calls to pw that have parameters in single quotes rather than using escapeshellarg() like they should, so there may be other vectors as well.

Associated revisions

Revision 5bef2407 (diff)
Added by Jim Pingle over 3 years ago

Add input validation to system_groupmanager.php to prevent invalid members from being submitted. Ticket #6475

Revision 9630ba1f (diff)
Added by Jim Pingle over 3 years ago

Add input validation to system_groupmanager.php to prevent invalid members from being submitted. Ticket #6475

Revision 2095e91f (diff)
Added by Jim Pingle over 3 years ago

Add input validation to system_groupmanager.php to prevent invalid members from being submitted. Ticket #6475

Revision b2267ff9 (diff)
Added by Jim Pingle over 3 years ago

Validate submitted groups when editing a user. Ticket #6475

Revision 1929acf1 (diff)
Added by Jim Pingle over 3 years ago

Use escapeshellarg on shell calls in auth.inc. Ticket #6475

Revision 6314397f (diff)
Added by Jim Pingle over 3 years ago

Validate submitted groups when editing a user. Ticket #6475

Revision 34bc249f (diff)
Added by Jim Pingle over 3 years ago

Use escapeshellarg on shell calls in auth.inc. Ticket #6475

Revision e63321a5 (diff)
Added by Jim Pingle over 3 years ago

Validate submitted groups when editing a user. Ticket #6475

Revision 0a39f78f (diff)
Added by Jim Pingle over 3 years ago

Use escapeshellarg on shell calls in auth.inc. Ticket #6475

Revision 4bf17edc (diff)
Added by Jim Pingle over 3 years ago

One more escapeshellarg for auth.inc on 2.4. Ticket #6475

History

#1 Updated by Jim Pingle over 3 years ago

I pushed some input validation which prevents the reported vector but the backend code needs some more work. The following lines look like they should be making use of escapeshellarg() or similar.

source:src/etc/inc/auth.inc#L428
source:src/etc/inc/auth.inc#L452
source:src/etc/inc/auth.inc#L560
source:src/etc/inc/auth.inc#L624
source:src/etc/inc/auth.inc#L779
source:src/etc/inc/auth.inc#L792

#2 Updated by Jim Pingle over 3 years ago

  • Status changed from Assigned to Feedback

Additional commits address the other uses of commands in auth.inc mentioned above (and some others). I also added input validation when editing groups from system_usermanager.php as well even though it did not appear to be exploitable, the validation was nearly identical to the validation on system_groupmanager.php and nice to have.

#3 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

all looks good now

#4 Updated by Jim Pingle almost 3 years ago

  • Private changed from Yes to No

Also available in: Atom PDF