Project

General

Profile

Bug #8153

Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php

Added by Jim Pingle 8 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Certificates
Target version:
Start date:
12/01/2017
Due date:
% Done:

100%

Affected Version:
All
Affected Architecture:

Description

cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.

This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php

Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.

Associated revisions

Revision b6dcbd64
Added by Jim Pingle 8 months ago

When retrieving a public key for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153

Revision 552d7750
Added by Jim Pingle 8 months ago

When retrieving a public key for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153

(cherry picked from commit b6dcbd646feb9c7197b4e94a6031b69c2113d679)

Revision 6e316e95
Added by Jim Pingle 8 months ago

When retrieving a the modulus for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153

Revision d3e0194e
Added by Jim Pingle 8 months ago

When retrieving a the modulus for a certificate, private key, or signing request, write the certificate data out to a temp file instead of echoing it through a pipe. Fixes #8153

(cherry picked from commit 6e316e955350ad69d4f86cb332a1a48bfa028e2e)

History

#1 Updated by Jim Pingle 8 months ago

  • Description updated (diff)
  • Target version changed from 2.4.3 to 2.4.2_1

#2 Updated by Jim Pingle 8 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

Fixed in current snapshots.

#4 Updated by Jim Pingle 7 months ago

  • Private changed from Yes to No

Also available in: Atom PDF