parameters need filtering #781

Closed
gsocgsoc opened this Issue Apr 20, 2016 · 1 comment

Projects

None yet

3 participants

@gsocgsoc
gsocgsoc commented Apr 20, 2016 edited

Hi,

The paramenter wxh needs some sanitation before being used by opentsdb.

See example url:

http://opentsdb.com:4242/q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60id%60&style=linespoint&png

Results in RCE unfortunately

More parameters:

  • wxh
  • start
  • m
  • o
  • key
  • style

Payload:
%60id%60

Regards

@johann8384 johann8384 changed the title from Paraments need filtering to parameters need filtering Apr 20, 2016
@gsocgsoc

mygnuplot.sh

#!/bin/sh
# Because !@#$%^ Java can't fucking do this without a bazillion lines of codes.
set -e
stdout=$1
shift
stderr=$1
shift
exec nice gnuplot "$@" >"$stdout" 2>"$stderr"

mygnuplot.bat

set -e
stdout=$1
shift
stderr=$1
shift
gnuplot %1 2>&1
@manolama manolama added the bug label May 1, 2016
@johann8384 johann8384 added this to the v2.3.0 milestone May 24, 2016
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Jul 6, 2016
@johann8384 johann8384 Made HTTP Request method checking consistent, fixes a few cases where…
… behavior is unexpected.

Simplified loading of internal RPC Handlers
Stop Sending BAD_REQUEST response as a PNG, allowed random code execution!

Fixes #793
Fixes #781
Fixes #831
Fixes #830
85047ea
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Sep 19, 2016
@johann8384 johann8384 This is the fix for #793 and 3781
Fixes #781
Fixes #793
6bba88c
@johann8384 johann8384 closed this Sep 19, 2016
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Dec 5, 2016
@johann8384 johann8384 This is the fix for #793 and 3781
Fixes #781
Fixes #793
3e92bdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment