New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post-Auth RCE Not Fixed, its now a race condition :) #333
Comments
JimMackin
added a commit
that referenced
this issue
Aug 6, 2015
|
@JimMackin I'll review it properly (install and test) over the weekend. Will have to validate (test harness using inotify, probably) that it is not being written to disc anywhere and if it is, will have to see if there's another vector for getting it executed. |
JimMackin
added a commit
that referenced
this issue
Aug 6, 2015
JimMackin
added a commit
that referenced
this issue
Aug 7, 2015
JimMackin
added a commit
that referenced
this issue
Aug 7, 2015
|
Race condition has been resolved in SuiteCRM v7.2.3 and any future releases. |
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
mattlorimer
pushed a commit
that referenced
this issue
Jan 18, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Post-Auth RCE allegedly "fixed" in Commit b1b3fd6 is not fixed.
The fix simply makes the bug slightly harder to exploit, turning it from a straight-shot file upload bug into a lovely race condition. Also, I bypassed the blacklist again :)
Video Proof below, a PoC will be published along with a full writeup of the vulnerability in due course, and a CVE is being requested from MITRE (or whoever decides to issue them...).

Suggested fix: Validate images BEFORE writing to disc. Writing them to disc, then checking them, is a bad idea.
Also, you were told on the commit this was a bad idea. Are we going to have to play remote-code-execution whack a mole for another while? Seriously, as a Crown Commercial Services Supplier, your QA process should surely have caught this.
The text was updated successfully, but these errors were encountered: