Potential command injection vulnerability in auth.inc via system_groupmanager.php
The members array in system_groupmanager.php is not properly validated, and is only protected by single quotes in auth.inc when used, which leads to a potential command injection.
Looking elsewhere in auth.inc there are several calls to pw that have parameters in single quotes rather than using escapeshellarg() like they should, so there may be other vectors as well.
#1 Updated by Jim Pingle almost 4 years ago
I pushed some input validation which prevents the reported vector but the backend code needs some more work. The following lines look like they should be making use of escapeshellarg() or similar.
#2 Updated by Jim Pingle almost 4 years ago
- Status changed from Assigned to Feedback
Additional commits address the other uses of commands in auth.inc mentioned above (and some others). I also added input validation when editing groups from system_usermanager.php as well even though it did not appear to be exploitable, the validation was nearly identical to the validation on system_groupmanager.php and nice to have.