-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution on saveConfig #620
Comments
first shot: web.py new P_saveconfig
|
AND/OR |
|
Do we need any chars except alphanumeric and "." inside a key? What will happen with values? |
Values can be ignored. |
Then we can check the length of the 3rd part : max 30 or 50 |
Will you test and push those changes? |
This issue has been assigned the CVE 2017-9807. |
Ich hab grad keine Zeit zum testen. |
Maybe the below snippet: from string import lowercase
accepted = lowercase + '.' # "abcdefghijklmnopqrstuvwxyz."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key" can replace the below check (found in # Blacklists the "/", "%" and space (" ") characters.
"/" in key or "%" in key or " " in key
# Returns True if any blacklisted character exists in "key" This can happen because it whitelists only acceptable characters (lowercase letters and dot), and returns |
Any alphanumeric (capital, non-capital plus digits) plus "." should be acceptable. |
Pardon me, I am new to the project! from string import letters, digits
accepted = letters + digits + '.' # "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key" The |
Or much better use the from string import ascii_letters, digits
accepted = ascii_letters + digits + '.' # "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key" As my system has an English Locale the difference cannot be seen in those two snippets right away, but if run on a different Locale system (a Greek one for example) the check I previously posted will always fail for legitimate I believe that this one is as safe as it gets when comes to Locale issues... |
I think there is a easy way. |
|
UPDATE:
|
Sounds good to me. |
I will also switch to POST for this request. |
In line:
https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/blob/1.2.4/plugin/controllers/models/config.py#L150
the
eval()
call blindly executes any user supplied data.For example a remote unauthenticated attacker can use the following GET request to create a root-owned file under
/tmp/
on a "Dreambox 800HD se" device:We will be requesting a CVE for this issue and will report the CVE number once this becomes available, for issue coordination purposes.
The text was updated successfully, but these errors were encountered: