<p><a href="https://github.com/areynold"><img src="https://avatars.githubusercontent.com/u/755312?" align="left" width="96" height="96" hspace="10" style="max-width:100%;"></a> <strong>Issue by <a href="https://github.com/areynold">areynold</a></strong><br><em>Monday Sep 09, 2013 at 15:25 GMT</em><br><em>Originally opened as <a href="https://github.com/opentechinstitute/commotion-debug-helper/issues/2" class="issue-link" title="Remote code execution in commotion debug helper (Medium)">opentechinstitute/commotion-debug-helper#2</a></em></p>

<hr><p>Parameters in form displayed on Commotion Debug Helper page are not sanitized when passed to OS command execution, which allows for arbitrary command  execution. However, page is accessible to node admin only and requires the presence of session token, so the impact of this vulnerability is limited.</p>

<p><a href="https://github.com/opentechinstitute/commotion-bug-info/blob/3fb4acddcedaacd8b20768b93a1eef1f5c034f8f/luasrc/controller/debugger.lua#L31-L43">https://github.com/opentechinstitute/commotion-bug-info/blob/3fb4acddcedaacd8b20768b93a1eef1f5c034f8f/luasrc/controller/debugger.lua#L31-L43</a></p>

<p>This vulnerability allows for OS code execution by modifying name,<br>
contact, whatYouDo, behaviorExpected and badBehavior parameters.<br>
Similar vulnerability exists within buginfo parameter value which is<br>
being passed to another OS command:</p>

<p><a href="https://github.com/opentechinstitute/commotion-bug-info/blob/3fb4acddcedaacd8b20768b93a1eef1f5c034f8f/luasrc/controller/debugger.lua#L45-L55">https://github.com/opentechinstitute/commotion-bug-info/blob/3fb4acddcedaacd8b20768b93a1eef1f5c034f8f/luasrc/controller/debugger.lua#L45-L55</a></p>

<p>Originally reported as WRT-01-004</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/opentechinstitute/luci-commotion/issues/218">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/3074564__eyJzY29wZSI6Ik5ld3NpZXM6QmVhY29uIiwiZXhwaXJlcyI6MTcxODczMjI2MiwiZGF0YSI6eyJpZCI6MzQ5ODAwNjN9fQ==--d368ea878542fd6b58df0c46dfca90561a189514.gif" width="1" /></p>