#1 Arbitrary code execution through redirects

closed
nobody
None
5
2006-11-11
2006-11-07
No

The existing system of redirects/callbacks can be used to execute
arbitrary code. The following example was tested with Firefox with the
Web Developer extension.

1) Login and go to Sales Order entry page
2) Change the value of the hidden callback field to read:

-e?open(IN,'ledger-smb.conf');while(<IN>){print STDERR $_};close(IN);

3) Click save
4) Check the web server's error log for the contents of the config file

Discussion

  • Logged In: YES
    user_id=1366720

    Whitelisting of the script component has been added to svn. $argv untainting still should be added.

     
    • status: open --> closed
     
  • Logged In: YES
    user_id=1366720

    Fixed for 1.2 by removing exec() mechanism.

     
  • Chris Travers
    Chris Travers
    2007-10-12

    Logged In: YES
    user_id=80610
    Originator: NO

    Note that this never affected any released version.