Actions
Bug #8153
closedPost-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php
Start date:
12/01/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
Description
cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.
This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php
Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.
Updated by Jim Pingle about 7 years ago
- Description updated (diff)
- Target version changed from 2.4.3 to 2.4.2-p1
Updated by Jim Pingle about 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset b6dcbd646feb9c7197b4e94a6031b69c2113d679.
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved
Fixed in current snapshots.
Actions