Skip to content
Permalink
Browse files Browse the repository at this point in the history
SEC: fix RCE bug in controller.php
@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
  • Loading branch information
Sebastian Wagner committed Apr 27, 2020
1 parent ec6567e commit b9a2ac4
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Expand Up @@ -4,10 +4,11 @@ CHANGELOG

2.1.1 (unreleased)
------------------

Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.

### Backend
- Fix mispelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
- Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.

### Pages

Expand Down
4 changes: 4 additions & 0 deletions NEWS.md
Expand Up @@ -5,6 +5,10 @@ See the changelog for a full list of changes.

2.1.1 (unreleased)
------------------
**Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.

Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.

The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
The old name will be available until version 3.0.

Expand Down
2 changes: 1 addition & 1 deletion intelmq-manager/php/controller.php
Expand Up @@ -104,7 +104,7 @@
$arguments .= "message pop";
break;
case "send":
$arguments .= "message send '" . escapeshellarg(filter_input(INPUT_POST, "msg")) . "'";
$arguments .= "message send " . escapeshellarg(filter_input(INPUT_POST, "msg"));
break;
case "process":
$arguments .= "process";
Expand Down

0 comments on commit b9a2ac4

Please sign in to comment.