From b9a2ac43a4f99d764b827108f6a99dc4a9faa013 Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <wagner@cert.at>
Date: Mon, 27 Apr 2020 20:46:58 +0200
Subject: [PATCH] SEC: fix RCE bug in controller.php

@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
---
 CHANGELOG.md                       | 3 ++-
 NEWS.md                            | 4 ++++
 intelmq-manager/php/controller.php | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5840b56..2123238 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,11 @@ CHANGELOG
 
 2.1.1 (unreleased)
 ------------------
-
+Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
 
 ### Backend
 - Fix mispelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
+- Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.
 
 ### Pages
 
diff --git a/NEWS.md b/NEWS.md
index 3bb9b84..d80121a 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -5,6 +5,10 @@ See the changelog for a full list of changes.
 
 2.1.1 (unreleased)
 ------------------
+**Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
+
+Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 
diff --git a/intelmq-manager/php/controller.php b/intelmq-manager/php/controller.php
index dcbfa3f..472c277 100644
--- a/intelmq-manager/php/controller.php
+++ b/intelmq-manager/php/controller.php
@@ -104,7 +104,7 @@
             $arguments .= "message pop";
             break;
         case "send":
-            $arguments .= "message send '" . escapeshellarg(filter_input(INPUT_POST, "msg")) . "'";
+            $arguments .= "message send " . escapeshellarg(filter_input(INPUT_POST, "msg"));
             break;
         case "process":
             $arguments .= "process";