SEC: fix RCE bug in controller.php

@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
certtools · Apr 27, 2020 · b9a2ac4 · b9a2ac4
1 parent ec6567e
commit b9a2ac4
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,10 +4,11 @@ CHANGELOG
 
 2.1.1 (unreleased)
 ------------------
-
+Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
 
 ### Backend
 - Fix mispelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
+- Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.
 
 ### Pages
 

diff --git a/NEWS.md b/NEWS.md
@@ -5,6 +5,10 @@ See the changelog for a full list of changes.
 
 2.1.1 (unreleased)
 ------------------
+**Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
+
+Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 

diff --git a/intelmq-manager/php/controller.php b/intelmq-manager/php/controller.php
@@ -104,7 +104,7 @@
             $arguments .= "message pop";
             break;
         case "send":
-            $arguments .= "message send '" . escapeshellarg(filter_input(INPUT_POST, "msg")) . "'";
+            $arguments .= "message send " . escapeshellarg(filter_input(INPUT_POST, "msg"));
             break;
         case "process":
             $arguments .= "process";