Project

General

Profile

Bug #7230

wizard.php - update_config_field() uses eval to set a value in a way that allows variable protections to be bypassed

Added by Jim Pingle about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Web Interface
Target version:
Start date:
02/07/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All
Release Notes:
Default

Description

update_config_field() in wizard.php needs to use eval to construct a variable name that is several array levels deep. The problem lies in the way the value is set for this variable, it can be bypassed in various ways, including using passthru to escape addslashes.

It's easiest to test by using the OpenVPN wizard, get to the step with the interface selection and use firebug to alter the interface value to be"

wan";echo exec("id");" 

Associated revisions

Revision 5baea4da (diff)
Added by Jim Pingle about 4 years ago

Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230

Revision 2c5c799a (diff)
Added by Jim Pingle about 4 years ago

Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230

Revision d3da9c7d (diff)
Added by Jim Pingle about 4 years ago

Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230

History

#1 Updated by Jim Pingle about 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 4 years ago

  • Status changed from Feedback to Resolved

Fixed

#3 Updated by Jim Pingle about 4 years ago

  • Target version changed from 2.4.0 to 2.3.3

#4 Updated by Jim Pingle about 4 years ago

  • Private changed from Yes to No

#5 Updated by Jim Pingle about 4 years ago

  • Private changed from No to Yes

#6 Updated by Jim Pingle about 4 years ago

  • Private changed from Yes to No

Also available in: Atom PDF