Open Source Training Seminar FreePBX Paid Support

Ticket #2773 (closed Bugs: fixed)

Opened 5 months ago

Last modified 2 months ago

There are two old yet unpatched vulnerabilities...

Reported by: xenomuta Assigned to:
Priority: major Milestone: 2.5
Component: Music On Hold Version: 2.4-branch
Keywords: Cc:
Confirmation: Confirmed SVN Revision (if applicable):
Backend Engine: All Backend Engine Version:

Description

Input passed to the "del" parameter in admin/modules/music/page.music.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary commands via specially crafted requests.

Change History

04/06/08 18:55:25 changed by jfinstrom

Note: the delete function has a limited scope, it can only delete files that the web server has permissions o soany damage wouldnt be overly catistrophic unless you run apache as root

04/06/08 20:42:19 changed by p_lindheimer

  • confirmation changed from Unreviewed to Confirmed.
  • milestone changed from Cut Line to 3.0.

07/03/08 05:10:18 changed by lazytt

xenomuta: thank you for the post. Any chance that you can post a patch to address the issue?

07/13/08 18:27:53 changed by p_lindheimer

  • status changed from new to closed.
  • resolution set to fixed.

I saw the one exploit, you mentioned two. If there is another one that you are aware of that is not addressed by the fix provided, please post a new bug and provide details. Thanks.

Fix is to use php unlink() command which will keep from being able to inject commands like was the case when exec-ing an 'rm' command. (Where you could inject something like: del=rm -rf /var/www/html/admin which was pretty serious).

r5995, r5996, r5997, r5998, r5999 (fixed in 2.3, 2.4, 2.5)

Donate



Support
Download
Develop
Forums
News
Documentation
Paid Support
About

Paid Ads