On 11/22/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
thanks for looking into this. Unfortunately I think you are only
partially right. (On the other hand, I don't use torrentflux and
cannot install it ATM due to libphp-adodb brokenness, so I could be
wrong as well).
A new libphp-adodb is in the works. Should be available soon.
On Wednesday 22 November 2006 09:31, Cameron Dale wrote:
> On 11/18/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
> > 1) Input passed to the "kill" parameter in index.php is not
> > properly sanitised before being used as the command line argument
> > to the "kill" command. This can be exploited to inject arbitrary
> > shell commands via the ";" character.
>
> This doesn't apply to the current version (2.1-5), as it has had
> this input sanitized in fixing a previous 2.1 bug.
As far as I can see, you only call htmlentities on the input. This is
not enough if you use the input in a command line that is passed to a
shell. For example the characters |;`$ have special meanings to the
shell and are not changed by htmlentities.
In fact, in the case we were discussing before (the kill parameter),
the new version will also only execute the kill command if $kill is a
numeric variable. So, if it wasn't fixed before then it will be now.
However, in the example above, the input is only passed to exec and
this does not seem to use a shell but executes the command directly.
So this doesn't seem to be exploitable here. On the other hand, there
are various exec()s of commands that are obviously meant to be
executed by a shell (with pipes or redirects). This doesn't really
make sense to me (but I am no php expert).
But I have found an instance where the input is passed to
shell_exec(). From metaInfo.php:
$result = shell_exec("cd " . $cfg["torrent_file_path"]."; " .
$cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo
"]." \"".$torrent."\"");
Here the input ($torrent) is wrapped in double quotes which is not
enough since the shell will interpret `command` even inside double
quotes. You should use escapeshellarg() on this.
Although what you are saying makes sense to me, I cannot use it to
cause a command to be executed. I have tried many combinations of
inputs to the $torrent variable (including using `command`), and none
of them has been successful. I can't say why it seems to catch these,
but it seems to, so I will leave it at that. If you (or anyone else)
can create a case where this is a security issue, please submit it as
a new bug.
> None of these is very serious, as all require a registered user to
> exploit the hack.
While this is true, the average admin would not expect that any
registered user can execute arbitrary commands or delete files. So
this definitely should be fixed before etch release.
Definitely, I was just trying to calm people's fears about this being
a globally accessible hack. It will of course be treated seriously,
and fixed as soon as possible.
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
