Skip to content
This repository has been archived by the owner on Nov 14, 2021. It is now read-only.

Command injection vulnerability #12

Open
jsenecal opened this issue Mar 18, 2019 · 0 comments · May be fixed by #16
Open

Command injection vulnerability #12

jsenecal opened this issue Mar 18, 2019 · 0 comments · May be fixed by #16

Comments

@jsenecal
Copy link

This exporter, while nice to have, opens the server it is running on to code injection vulnerabilities as the command line parameters are not escaped and executed as-is.

Try it yourself:

curl "localhost:8085?target=\`touch%20iamnotsupposedtobehere\`"

You will then find a file where the .py script is located: iamnotsupposedtobehere
bpbp-boop added a commit to bpbp-boop/ping-exporter that referenced this issue Sep 26, 2019
@bpbp-boop
Add support for pinging subnets (IPv4 only). This contains a breaking…
445fde1 
… change to the metric names.

Fix command injection vulnerability (fixes frankiexyz#12)
Change interval default to fping default (25ms)
@bpbp-boop bpbp-boop mentioned this issue Sep 26, 2019
Closed
slrtbtfs added a commit to slrtbtfs/ping-exporter that referenced this issue Dec 20, 2019
@slrtbtfs
Fix command injection vulnerability
5dbeb2c 
Fixes frankiexyz#12

Signed-off-by: Tobias Guggenmos <tguggenm@redhat.com>
slrtbtfs added a commit to slrtbtfs/ping-exporter that referenced this issue Dec 20, 2019
@slrtbtfs
Fix command injection vulnerability
ac02181 
Fixes frankiexyz#12

Signed-off-by: Tobias Guggenmos <tguggenm@redhat.com>
@slrtbtfs slrtbtfs linked a pull request Dec 20, 2019 that will close this issue
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@jsenecal