I am being generic as possible before posting more details so that I can verify if this post is private.
Please make this private or tell me where to send a report with more details. Thanks.
Created attachment 617 [details] Command Injections There are 2 command injections in backup.cgi. Please see the attached report.
Would you be able to send me your name for credit for finding this?
Created attachment 618 [details] 0001-backup-Sanitise-FILE-parameter.patch Please review the two patches attached that will fix this issue.
Created attachment 619 [details] 0002-backup-Sanitise-content-of-ADDON-variable.patch
Sure, Please credit Reginald Dodd. Mitre has assigned CVE-2018-16232 to this issue so refer to this in any advisory. I will take a look at the patches.
Correct me if I'm wrong but $file would still allow command injection like this: file`whoami`.iso Addon would not be fixed either.
(In reply to DipSec from comment #7) > Correct me if I'm wrong but $file would still allow command injection like > this: file`whoami`.iso > Addon would not be fixed either. No that isn't possible any more. FILE needs to end on .ipf or .iso and then the existance of the file is checked. If it doesn't exist (which `whoami`.iso won't), undef is being returned and the script exists. I am not aware that perl's (-e "filename") is vulnerable to any shell command execution.
I took another look at it and your fixes should correct the issues. It's definitely more secure now than before.
Any update on when your proposed fixes will make it into a patch?
Patches are available. Since we don't have a release date for the next update, yet, I didn't want to publish this. Would you be okay with merging the fixes into our public repository and therefore disclose this vulnerability?
Unfortunately, I don't have much time to dedicate to this other than checking up on the status. I hope the fixes make it into your next release.
I have just merged the two patches into our development branch and they are scheduled to be released with Core Update 124: https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=7f6257e0a475681ff243ead159cafee2e03f6265 https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=614764e58af6dd710658fd072ed9b3a1b51f805a Thank you very much for finding and reporting this! I will make this ticket public now.
The update is now available for testing: https://planet.ipfire.org/post/ipfire-2-21-core-update-124-is-available-for-testing