Command injection via db_dir configuration parameter

Brought to you by: jmaggard

#275 Command injection via db_dir configuration parameter

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: security (3)

Priority: 5

Updated: 2015-10-23

Created: 2015-09-28

Creator: Michele Spagnuolo

Private: No

There is a command injection vulnerability via the db_dir configuration parameter.

To reproduce:

Use this configuration file minidlna.conf: db_dir=x; cat /etc/passwd;#
Run minidlna -f minidlna.conf
The injected command is executed.

This is risky because minidlna is used in several routers, executed with elevated privileges, and that parameter might be controllable by an attacker.

The vulnerable code is located at https://github.com/1100101/minidlna/blob/master/minidlna.c#L454 and at line 890 of the same file, when the -R flag is specified explicitly. Please avoid string concatenation to parameters passed to system().

Discussion

Shrimpkin - 2015-10-23

Issues with minidlna.c and system() have been previously reported in Tickets>Bugs #273.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Command injection via db_dir configuration parameter

Group

Searches

Help

#275 Command injection via db_dir configuration parameter

Discussion