diff --git a/src/modules/exec/doc/exec_admin.xml b/src/modules/exec/doc/exec_admin.xml
index fd0d88f4f55..93ea78cd87a 100644
--- a/src/modules/exec/doc/exec_admin.xml
+++ b/src/modules/exec/doc/exec_admin.xml
@@ -77,6 +77,23 @@
Otherwise they will be evaluated as &kamailio; pseudo-variables,
throwing errors.
+
+ WARNING: if the exec functions are passed variables that might include
+ malicious input, then remote attackers may abuse the exec functions to
+ execute arbitrary code. Specifically, this may result in OS command injection.
+ In such cases, input validation is required to prevent the vulnerability.
+ The following is an example of how input validation and exec module
+ functions may be used together to prevent exploitation:
+
+
+...
+if !($rU =~ "^[0-9]{1,15}$") {
+ xlog("Malformed R-URI username: '$rU'\n");
+ exit;
+}
+exec_msg("echo TEST >> /tmp/$(rU).txt");
+...
+
@@ -186,7 +203,7 @@ modparam("exec", "time_to_kill", 20)
...
exec_dset("echo TEST > /tmp/test.txt");
-exec_dset("echo TEST > /tmp/$rU.txt");
+exec_dset("echo TEST > /tmp/$(rU).txt");
...
@@ -225,7 +242,7 @@ exec_dset("echo TEST > /tmp/$rU.txt");
...
exec_msg("echo TEST > /tmp/test.txt");
-exec_msg("echo TEST > /tmp/$rU.txt");
+exec_msg("echo TEST > /tmp/$(rU).txt");
...
@@ -300,7 +317,7 @@ exec_avp("echo TEST", "$avp(s:test)");
...
exec_cmd("echo TEST > /tmp/test.txt");
-exec_cmd("echo TEST > /tmp/$rU.txt");
+exec_cmd("echo TEST > /tmp/$(rU).txt");
...
@@ -315,4 +332,3 @@ exec_cmd("echo TEST > /tmp/$rU.txt");
-