No subject


Wed Nov 1 13:33:20 EST 2006


/**
 * Executes a command using the wrapper (with root access rights).
 * Used to write files or create/remove folders,
 * because user apache itself has no write access.
 */
function root_exec($cmd)
{
  //some basic check for invalid input
  $cmd = ereg_replace(';.*', '', $cmd);

  $output = shell_exec("./wrapper $cmd 2>&1");
  //print "<xmp>$cmd \n----- \n$output</xmp>\n";  //debug

  return $output;
}

How may I 0wn thee? Luckily, there does seem to be some validation of the
commands sent, but I can't justify the use of root shell scripts using badly
sanitized attacker data. It makes my skin crawl. 

Some more unvalidated variables:

if (WebApp::first_time())
{
  $path = $_SERVER["QUERY_STRING"];
  WebApp::addSVar("folderListing->fileFilter", ".*");
  WebApp::addSVar("folderListing->root", APP_PATH);
  WebApp::addSVar("folderListing->currentPath", $path);
}

  /**
   * Add a session variable. 
   * @see getSVar(), setSVar()
   */
  function addSVar($var_name, $var_value, $db =false)
  {
    global $session;
    $session->addVar($var_name, $var_value, $db);
  }
  
The variable currentPath is then used without validation several times, with
local files pulled in using the unvalidated contents of the query string
(see onRender() in folderListing.php).

Adrian, sorry dude - the code is full of holes. I suggest continue looking
for another package.

Andrew





More information about the Owasp-guide mailing list