[Commotion-admin] [commotion-apps] RCE in name, nick, and description fields (Critical) (#15)
areynold
notifications at github.com
Wed Sep 11 17:30:35 UTC 2013
both the name and nick and description HTTP POST parameters allow for arbitrary command injection, as they are directly included in subsequent calls to luci.sys.exec. While both parameters have limited input validation, this only exists to check for the backtick character, not other forms of injection such as null (%00) or $.
**SHORT TERM SOLUTION:** Expand the existing input filtering to include other dangerous characters such as $ and ;. Only alpha-numeric names, nicknames and descriptions should be permitted. (This may be problematic for Unicode but the same general recommendation exists.)
**LONG TERM SOLUTION:** Avoid direct calls to high-risk LuCI shell functions such as luci.sys.exec and luci.sys.call. Instead, replace these with a call to a wrapper library which contains a secondary layer of input validation.
Originally submitted as iSEC-COMMO13-6
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-apps/issues/15
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130911/b5d5b732/attachment.html>
More information about the Commotion-admin
mailing list