No subject
Wed Nov 1 13:33:20 EST 2006
/**
* Executes a command using the wrapper (with root access rights).
* Used to write files or create/remove folders,
* because user apache itself has no write access.
*/
function root_exec($cmd)
{
//some basic check for invalid input
$cmd = ereg_replace(';.*', '', $cmd);
$output = shell_exec("./wrapper $cmd 2>&1");
//print "<xmp>$cmd \n----- \n$output</xmp>\n"; //debug
return $output;
}
How may I 0wn thee? Luckily, there does seem to be some validation of the
commands sent, but I can't justify the use of root shell scripts using badly
sanitized attacker data. It makes my skin crawl.
Some more unvalidated variables:
if (WebApp::first_time())
{
$path = $_SERVER["QUERY_STRING"];
WebApp::addSVar("folderListing->fileFilter", ".*");
WebApp::addSVar("folderListing->root", APP_PATH);
WebApp::addSVar("folderListing->currentPath", $path); }
/**
* Add a session variable.
* @see getSVar(), setSVar()
*/
function addSVar($var_name, $var_value, $db =false)
{
global $session;
$session->addVar($var_name, $var_value, $db);
}
The variable currentPath is then used without validation several times, with
local files pulled in using the unvalidated contents of the query string
(see onRender() in folderListing.php).
Adrian, sorry dude - the code is full of holes. I suggest continue looking
for another package.
Andrew
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-guide
More information about the Owasp-guide
mailing list