[Commotion-admin] [commotion-apps] RCE in add local applications form ‘uuid’ parameter (Critical) (#11)
areynold
notifications at github.com
Mon Sep 9 15:20:32 UTC 2013
Parameter uuid sent is sent to OS command. In newest version of the application’s code (commit id 3bcf912eec5d3b7b0192cf4c21e334c6775ec482) this parameter can be tampered with to allow for arbitrary command execution. Anonymous, not authenticated access to the web interface is required.
https://github.com/opentechinstitute/commotion-apps/blob/3bcf912eec5d3b7b0192cf4c21e334c6775ec482/lua/luci/controller/commotion/apps_controller.lua#L534-L543
To exploit this vulnerability, attacker should set up a new application (unique name, ip address/port pair) and submit code in uuid parameter using same bypass as in WRT-01-001 vulnerability.
Originally reported as WRT-01-002
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-apps/issues/11
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130909/941deec9/attachment.html>
More information about the Commotion-admin
mailing list