| Anonymous | Login | 2025-10-27 00:22 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||
| 0000763 | PacketFence | security | public | 2009-08-11 09:53 | 2012-04-23 11:03 | |||
| Reporter | obilodeau | |||||||
| Assigned To | obilodeau | |||||||
| Priority | normal | Severity | major | Reproducibility | have not tried | |||
| Status | closed | Resolution | fixed | |||||
| Platform | OS | OS Version | ||||||
| Product Version | ||||||||
| Target Version | 3.0.2 | Fixed in Version | 3.0.2 | |||||
| Summary | 0000763: Unsanitized user input in web_node_register | |||||||
| Description | In web_node_register inside web.pm, an external command is executed (pfcmd) and user controlled data is passed to it. I think that this info is not sanitized enough and that we can perform command injection there. sub web_node_register { my ( $mac, $pid, %info ) = @_; my $logger = Log::Log4perl::get_logger('pf::web'); my $info; foreach my $key ( keys %info ) { $info{$key} =~ s/[^0-9a-zA-Z_\*\.\-\:_\;\@\ ]/ /g; $info .= $key . '="' . $info{$key} . '",'; } chop($info); $logger->info( "calling $bin_dir/pfcmd 'manage register $mac \"$pid\" $info'"); my $cmd = $bin_dir . "/pfcmd 'manage register $mac \"$pid\" $info'"; my $output = qx/$cmd/; return 1; } I'm not so sure about this one here but I know that web_node_record_user_agent will pass user agent straight to shell with single quote escaping only. NOTE: Because of the current architecture (running pfcmd instead of calling inside subs) I am pretty sure this is spreaded all over the place. I will have to test fesability of exploitation first. | |||||||
| Additional Information | See http://sial.org/howto/perl/backticks/ [^] for some hints for solutions. | |||||||
| Tags | No tags attached. | |||||||
| fixed in git revision | ||||||||
| fixed in mtn revision | ||||||||
| Attached Files | ||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0002634) obilodeau (reporter) 2012-04-04 11:17 |
a fix was made earlier, we forgot to update and close this ticket |
|
(0002635) obilodeau (reporter) 2012-04-04 11:17 |
made ticket public since it's fixed since a little while |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-08-11 09:53 | obilodeau | New Issue | |
| 2009-08-19 15:55 | obilodeau | Status | new => assigned |
| 2009-08-19 15:55 | obilodeau | Assigned To | => obilodeau |
| 2010-05-05 09:30 | obilodeau | Category | future => security |
| 2011-01-18 10:03 | obilodeau | Target Version | => 2.0.1 |
| 2011-01-26 15:30 | obilodeau | Target Version | 2.0.1 => 2.0.2 |
| 2011-03-03 15:19 | obilodeau | Target Version | 2.0.2 => +1 |
| 2012-04-04 11:17 | obilodeau | Note Added: 0002634 | |
| 2012-04-04 11:17 | obilodeau | Status | assigned => closed |
| 2012-04-04 11:17 | obilodeau | Resolution | open => fixed |
| 2012-04-04 11:17 | obilodeau | Fixed in Version | => 3.0.2 |
| 2012-04-04 11:17 | obilodeau | Note Added: 0002635 | |
| 2012-04-04 11:17 | obilodeau | View Status | private => public |
| 2012-04-23 11:03 | obilodeau | Target Version | +1 => 3.0.2 |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |