Bug #8153
Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php
100%
Description
cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.
This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php
Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.
Associated revisions
When retrieving a public key for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153
(cherry picked from commit b6dcbd646feb9c7197b4e94a6031b69c2113d679)
When retrieving a the modulus for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153
When retrieving a the modulus for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153
(cherry picked from commit 6e316e955350ad69d4f86cb332a1a48bfa028e2e)
History
#1
Updated by Jim Pingle over 2 years ago
Updated by - Description updated (diff)
- Target version changed from 2.4.3 to 2.4.2-p1
#2
Updated by Jim Pingle over 2 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset b6dcbd646feb9c7197b4e94a6031b69c2113d679.
#3
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
Fixed in current snapshots.
#4
Updated by Jim Pingle over 2 years ago
- Private changed from Yes to No
When retrieving a public key for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153