Actions
Bug #7230
closedwizard.php - update_config_field() uses eval to set a value in a way that allows variable protections to be bypassed
Start date:
02/07/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
update_config_field() in wizard.php needs to use eval to construct a variable name that is several array levels deep. The problem lies in the way the value is set for this variable, it can be bypassed in various ways, including using passthru to escape addslashes.
It's easiest to test by using the OpenVPN wizard, get to the step with the interface selection and use firebug to alter the interface value to be"
wan";echo exec("id");"
Updated by Jim Pingle over 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 5baea4da88fd6c093582d9c3e9b67cce5d6a1013.
Updated by Jim Pingle over 7 years ago
- Target version changed from 2.4.0 to 2.3.3
Actions