You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# If the filename ends with a .log, we need to process it as a log file
[1] if ('file' in form) and (form['file'].filename.endswith('.log.gz')):
logitem = form['file']
logfile = logitem.file
try:
# Let's save the file in LOGDIR directory
log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/'
[2] filename = os.path.join(log_dir, logitem.filename)
output_file = open(filename, 'w')
output_file.write(logfile.read(-1))
output_file.close()
except Exception, xcpt:
# If we fails at saving, let's exit
fatal_error("exception while saving log file: %s" % str(xcpt))
sys.exit(1)
# If the succeed at saving log file, let's also exit
# In fact we have nothing more to do once its saved.
log('Log file %s saved' % logitem.filename)
sys.exit(0)
1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file
due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the
httpd is overly privileged, etc.
upload.py returns python code to be executed on the client:
sys.stdout.write('''
import commands
import os
import sys
import hpacucli
import ipmi
import time
...
upload-health.py
if form.getvalue('session'):
dest_dir = cfg_dir + form.getvalue('session') + '/' + dirname
else:
dest_dir = cfg_dir + '/' + dirname
try:
if not os.path.isdir(dest_dir):
os.makedirs(dest_dir)
session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack,
can return arbitrary shell commands to be ran:
'''Report a shell script with the error message and log
the message on stderr.'''
print('''#!/bin/sh
cat <<EOF
%s
EOF
exit 1
''' % error)
The text was updated successfully, but these errors were encountered:
This is an incomplete fix. os.path.basename() won't properly sanitize UNC paths on Windows hosts. Also, the issue in upload.py hasn't been fixed at all.
Found in a past security audit, agreed with Tristan to make public and file issues here.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1153470
upload.py:
[1] if ('file' in form) and (form['file'].filename.endswith('.log.gz')):
logitem = form['file']
logfile = logitem.file
try:
# Let's save the file in LOGDIR directory
log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/'
[2] filename = os.path.join(log_dir, logitem.filename)
output_file = open(filename, 'w')
output_file.write(logfile.read(-1))
output_file.close()
except Exception, xcpt:
# If we fails at saving, let's exit
fatal_error("exception while saving log file: %s" % str(xcpt))
sys.exit(1)
# If the succeed at saving log file, let's also exit
# In fact we have nothing more to do once its saved.
log('Log file %s saved' % logitem.filename)
sys.exit(0)
1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file
due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the
httpd is overly privileged, etc.
upload.py returns python code to be executed on the client:
import commands
import os
import sys
import hpacucli
import ipmi
import time
...
upload-health.py
session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack,
can return arbitrary shell commands to be ran:
cat <<EOF
%s
EOF
exit 1
''' % error)
The text was updated successfully, but these errors were encountered: