-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code injection vulnerability on /system/log endpoint #132
Comments
Unfortunately, I am not an expert nor a professional programmer. I need to look into it and read more details on the topic. Are you referring to changes documented here? Or even better, do you have a proposal on how to fix it with a PR? Anyhow, it'll take some time. |
Yes, mentioned mitigations should fix this issue, if i find any free time soon i will test mitigation and make PR. |
@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution. |
Yup, it should work. I haven't checked fixed version in action, but after reading changes in commit i think it would mitigate this issue. |
@avollkopf Best regards |
Added test branch that is using systemd-python package instead of os.system to read from journal. Tests started, but reading from log is working already and issue should be solved with the usage of the additional package |
The vulnerability was described and published at the following addresses: Best regards |
Closed with aforementioned PR |
URL GET parameter
{logtime}
utilized within the downloadlog function from /cbpi/controller/system_controller.py is subsequently passed to the os.system function in /cbpi/http_endpoints/http_system.py without prior validation allowing to execute arbitrary code.Vulnerability exists from
4.0.0.58
version (563fae9
commit)The text was updated successfully, but these errors were encountered: