Project

General

Profile

Actions

Bug #8153

closed

Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Certificates
Target version:
Start date:
12/01/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.

This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php

Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.

Actions #1

Updated by Jim Pingle about 7 years ago

  • Description updated (diff)
  • Target version changed from 2.4.3 to 2.4.2-p1
Actions #2

Updated by Jim Pingle about 7 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle about 7 years ago

  • Status changed from Feedback to Resolved

Fixed in current snapshots.

Actions #4

Updated by Jim Pingle about 7 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF