Project

General

Profile

Actions

Bug #8153

closed

Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php

Added by Jim Pingle over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Certificates
Target version:
Start date:
12/01/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.

This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php

Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.

Actions

Also available in: Atom PDF