New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] #1845
Comments
|
Has anyone recreated this issue? Seems important to follow up. Was there a pull request to solve this issue or is there a fork to review the suggested filter? Thanks for reporting this issue @0xabe-io - Cheers! |
|
Hi @whindes, No I don't have any fix for that issue. The injection has been tested on an old 1.6.X version as well as the 2.8.2. |
|
CVE-2017-1000469 was assigned to this issue. |
|
hi team, please note that this is still injectable via both createflags and yumdownloader setting:
rpm -qa: |
|
Does this bug and fix affect only the webui? Or also the CLI interface? |
In the
Reposfeature, Cobbler does not sanitize its user input; as a result, it is possible to execute arbitrary commands by specifying a malformed repository mirror during its creation or edition. As the service runs as root, it is thus possible to leak sensitive information and gain remote root access on the machine that runs Cobbler.Sample of a malicious input, entered in the
Mirrorfield in theAdding a Repoform:Then a
Reposyncaction has to be executed to trigger the malicious command to run. Its output can be seen in the log of the action, which is in theEventspage.To fix this issue, we would suggest to filter the user input to remove none valid path characters. Additionally, it would be advisable to run rsync command, if not the entire service, as an unprivileged user.
This issue has been verified on versions up to 2.8.2.
The text was updated successfully, but these errors were encountered: