|Anonymous | Login||2021-07-30 17:02 EDT|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001295||PacketFence||security||public||2011-10-03 12:13||2011-10-24 20:17|
|Target Version||3.0.2||Fixed in Version||3.0.2|
|Summary||0001295: Command injection in guest management and captive portal web interfaces|
|Description||In both the guest management (html/admin/guest-management.cgi) and captive portal (html/captive-portal/guest-selfregistration.cgi) web interfaces, shell command lines are constructed using several session parameters, which are then passed to the pf_run function for execution. However, these are not escaped, allowing an attacker to execute arbitrary commands on the system.|
The existence of this vulnerability in the guest management interface would not normally be such an issue, however the authentication bypass described in bug 1294 allows the vulnerability to be exposed by an attacker for exploitation.
|Additional Information||A sample request, triggering the injection and making the server create a reverse shell to the attacker listening on 192.168.1.1:1234 (assuming netcat is installed on the server):|
|Tags||No tags attached.|
|fixed in git revision|
|fixed in mtn revision||92f9741dafd035ed1617b8ebb8d6a467cb0f1edb|
|Attached Files||security-fix-1295-command-injection.patch [^] (9,249 bytes) 2011-10-13 13:44 [Show Content]|
Fixed command injection by doing parametrized SQL instead of calling pfcmd person command. While I was there, I fixed a problem with SMS activation where username and lastname were not properly kept (0001308).
Some potentially dangerous characters could still be injected in the SQL-based person creation mechanism so I made sure to sanitize the output in the Web Admin to prevent XSS there:
- Converting dangerous characters into HTML entities in the Web Admin's tableprint
- Converting dangerous characters into HTML entities in the Web Admin's person edit dialog
I haven't re-validated all of the admin because it's a lot of work and most of the other areas (except person) are not directly controlled by user input or are validated.
Fix will be released in 3.0.2 shortly.
Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
|This vulnerability has been assigned: CVE-2011-4071.|
|fix released in 3.0.2|
|2011-10-03 12:13||mattd||New Issue|
|2011-10-06 11:47||obilodeau||Status||new => assigned|
|2011-10-06 11:47||obilodeau||Assigned To||=> obilodeau|
|2011-10-13 13:44||obilodeau||File Added: security-fix-1295-command-injection.patch|
|2011-10-13 13:56||obilodeau||mtn revision||=> 92f9741dafd035ed1617b8ebb8d6a467cb0f1edb|
|2011-10-13 13:56||obilodeau||Note Added: 0002342|
|2011-10-13 13:56||obilodeau||Status||assigned => resolved|
|2011-10-13 13:56||obilodeau||Fixed in Version||=> +1|
|2011-10-13 13:56||obilodeau||Resolution||open => fixed|
|2011-10-13 13:57||obilodeau||Relationship added||related to 0001308|
|2011-10-17 10:40||obilodeau||Note Added: 0002366|
|2011-10-24 16:45||obilodeau||View Status||private => public|
|2011-10-24 20:15||obilodeau||Target Version||=> 3.0.2|
|2011-10-24 20:15||obilodeau||Note Added: 0002383|
|2011-10-24 20:16||obilodeau||Status||resolved => closed|
|2011-10-24 20:17||obilodeau||Fixed in Version||+1 => 3.0.2|
|Copyright © 2000 - 2012 MantisBT Group|