[Commotion-admin] [luci-commotion-apps] added input validation and sanitizing for mitigating RCE vulnerabilities (#21)
Josh King
notifications at github.com
Fri Oct 25 19:11:10 UTC 2013
Those queries indeed fail to open a connection back to netcat, but I suspect it's not for the reason intended. When running those curl queries, I get the error below:
* About to connect() to 192.168.1.20 port 80 (#0)
* Trying 192.168.1.20...
* Adding handle: conn: 0x14696a0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x14696a0) send_pipe: 1, recv_pipe: 0
* Connected to 192.168.1.20 (192.168.1.20) port 80 (#0)
> POST /cgi-bin/luci/apps/add_submit HTTP/1.1
> User-Agent: curl/7.32.0
> Host: 192.168.1.20
> Accept: */*
> Content-Length: 110
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 110 out of 110 bytes
< HTTP/1.1 500 Internal Server Error
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/plain
< Cache-Control: no-cache
< Expires: 0
<
/usr/lib/lua/luci/dispatcher.lua:448: Failed to execute call dispatcher target for entry '/apps/add_submit'.
The called action terminated with an exception:
...ib/lua/luci/controller/commotion/apps_controller.lua:248: module 'uri' not found:
no field package.preload['uri']
no file './uri.lua'
no file '/usr/share/lua/uri.lua'
no file '/usr/share/lua/uri/init.lua'
no file '/usr/lib/lua/uri.lua'
no file '/usr/lib/lua/uri/init.lua'
no file './uri.so'
no file '/usr/lib/lua/uri.so'
no file '/usr/lib/lua/loadall.so'
stack traceback:
[C]: in function 'assert'
/usr/lib/lua/luci/dispatcher.lua:448: in function 'dispatch'
* Closing connection 0
/usr/lib/lua/luci/dispatcher.lua:195: in function </usr/lib/lua/luci/dispatcher.lua:194>
This is both before and after Quickstart. The 'uri' module appears to be missing? I've confirmed that the changes both from this pull request and from opentechinstitute/luci-commotion#29 were properly applied to my build.
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/luci-commotion-apps/pull/21#issuecomment-27118096
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20131025/63c50a00/attachment.html>
More information about the Commotion-admin
mailing list