Bug #9061: PowerD command parameter validation and escaping - pfSense - pfSense bugtracker

Actions

Copy link

Bug #9061

closed

PowerD command parameter validation and escaping

Added by Jim Pingle over 5 years ago. Updated over 5 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Jim Pingle

Category:

Hardware / Drivers

Target version:

2.4.4-p1

Start date:

10/23/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

The powerd parameters powerd_ac_mode, powerd_battery_mode, and powerd_normal_mode are not validated against the list of expected mode strings in /usr/local/www/system_advanced_misc.php. They are also not escaped before use when invoking the powerd command inside activate_powerd() from /etc/inc/system.inc.

This can lead to an authenticated command injection for users with access to that page.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #9061

PowerD command parameter validation and escaping

Updated by Jim Pingle over 5 years ago

Updated by Anonymous over 5 years ago

Updated by Anonymous over 5 years ago

Updated by Jim Pingle over 5 years ago