There is a bug can run any command on linux when use opentsdb ui #793

Closed
xiaom0-0 opened this Issue May 11, 2016 · 2 comments

Projects

None yet

4 participants

@xiaom0-0
xiaom0-0 commented May 11, 2016 edited

if there is a wrong parameter such like "wxh=1900x770ls /home/" it will cause an "IllegalArgumentException",And then be process with "badRequest" , because this response with "PNG" , the wrong parameter will be worte to a script ,add run。

there is a sample way to fix it temporarily
`---a/expand/opentsdb/src/tsd/HttpQuery.java
+++ b/expand/opentsdb/src/tsd/HttpQuery.java
@@ -421,8 +421,8 @@ final class HttpQuery extends AbstractHttpQuery {
HttpQuery.escapeJson(exception.getMessage(), buf);
buf.append(""}");
sendReply(HttpResponseStatus.BAD_REQUEST, buf);

  • } else if (hasQueryStringParam("png")) {
  •  sendAsPNG(HttpResponseStatus.BAD_REQUEST, exception.getMessage(), 3600);
    
  • //} else if (hasQueryStringParam("png")) {
  •  //sendAsPNG(HttpResponseStatus.BAD_REQUEST, exception.getMessage(), 3600);
    
    } else {
    sendReply(HttpResponseStatus.BAD_REQUEST,
    makePage("Bad Request", "Looks like it's your fault this time",`
@manolama manolama added the bug label May 11, 2016
@manolama
Member

Eww, thank you very much for finding this. Will patch it shortly.

@gsocgsoc

Seems like a duplicate of #781

@johann8384 johann8384 added this to the v2.3.0 milestone May 24, 2016
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Jul 6, 2016
@johann8384 johann8384 Made HTTP Request method checking consistent, fixes a few cases where…
… behavior is unexpected.

Simplified loading of internal RPC Handlers
Stop Sending BAD_REQUEST response as a PNG, allowed random code execution!

Fixes #793
Fixes #781
Fixes #831
Fixes #830
85047ea
@manolama manolama added a commit to manolama/opentsdb that referenced this issue Jul 13, 2016
@manolama manolama Fix #793 by making sure the exception response paths for the API
return an HTML response instead of trying to write and execute a
script that can execute arbitrary commands on the host system. There
is more work we should do (or just use client-side rendering) to
prevent hackers from running really bad stuff on the server.
Thanks to @xiaom0-0 for the find and fix.
e573995
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Sep 19, 2016
@johann8384 johann8384 This is the fix for #793 and 3781
Fixes #781
Fixes #793
6bba88c
@johann8384 johann8384 closed this Sep 19, 2016
@johann8384 johann8384 added a commit to johann8384/opentsdb that referenced this issue Dec 5, 2016
@johann8384 johann8384 This is the fix for #793 and 3781
Fixes #781
Fixes #793
3e92bdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment