You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We (SUSE) are currently reviewing all cron jobs we package for security issues. cacti packages a cron job and that lead us to have a look. During this I noticed that
in poller.php
575 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
allows plugins to add arguments to the commands being executed. These arguments are not escaped, so it's left to the plugins to do this. I checked the default plugins and none of them are problematic.
IMHO (and I'm not really familiar with the code base) it might make sense to ensure proper escaping here to ensure defense in depth. Currently the code relies on every plugin getting this right.
The text was updated successfully, but these errors were encountered:
Well, I'm going to see if this plugin is actually used anywhere. Cause I agree. Right now, it's the plugins responsibility to perform any escaping of the arguments, as they can be pretty free form.
I would suggest that maybe in 2020, we don't even need this hook. But we have to review it first.
Just finished the audit. I'd be happy to remove this as a bug. The two legacy plugins that used it really were misusing it to modify memory limits for the data collectors and not really messing with command line arguments. In other words, they were hacks by the uber-hacker himself, he who shall remain nameless.
We (SUSE) are currently reviewing all cron jobs we package for security issues. cacti packages a cron job and that lead us to have a look. During this I noticed that
in poller.php
575 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
allows plugins to add arguments to the commands being executed. These arguments are not escaped, so it's left to the plugins to do this. I checked the default plugins and none of them are problematic.
IMHO (and I'm not really familiar with the code base) it might make sense to ensure proper escaping here to ensure defense in depth. Currently the code relies on every plugin getting this right.
The text was updated successfully, but these errors were encountered: