Closed
Bug 852916
Opened 12 years ago
Closed 12 years ago
LDAP Management: Possible Command Injection Vulnerability in adapters/postini.py
Categories
(Webtools Graveyard :: Phonebook, defect)
Webtools Graveyard
Phonebook
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: freddy, Assigned: rtucker)
Details
(Keywords: sec-critical, wsec-injection)
Attachments
(1 file, 1 obsolete file)
|
937 bytes,
patch
|
freddy
:
review+
|
Details | Diff | Splinter Review |
This code that handles postini uses user-input in commands that
are being executed at system level. If the sanitation function can
be bypassed, attackers may compromise the whole system the Management
Interface runs on.
Instead of the current approach, I would advocate for using a different
command execution function that allows the seperation of the command
and its parameters, e.g. Popen.
My PoC exploit didn't work because I assume that the dev-server doesn't really use the postini bridge and I felt a bit hesitant to try my exploit on production just to proof a point :)
But I successfully registered a username with the email address <fbrau`sleep${IFS}5`n2@mozilla.com>, which makes me quite confident we should fix this quickly.
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → rtucker
|
|
Assignee | |
Comment 1•12 years ago
|
||
How did you inject the username fbrau`sleep${IFS}5`n2@mozilla.com ?
Did you do this by calling the PostiniUser direct from a python shell script or from the web interface?
|
Reporter | |
Comment 2•12 years ago
|
||
I just added it from the web interface on ldap-dev.
See https://ldap-dev.allizom.org/manage/users/search/?search=secreview
|
|
Assignee | |
Comment 3•12 years ago
|
||
Attachment #727141 -
Flags: review?(fbraun)
|
|
Assignee | |
Comment 4•12 years ago
|
||
Attachment #727141 -
Attachment is obsolete: true
Attachment #727141 -
Flags: review?(fbraun)
Attachment #727163 -
Flags: review?(fbraun)
|
|
Reporter | |
Comment 5•12 years ago
|
||
Comment on attachment 727163 [details] [diff] [review]
Patch to use popen
Looks good!
Attachment #727163 -
Flags: review?(fbraun) → review+
|
|
Reporter | |
Comment 6•12 years ago
|
||
This patch didn't fix all of the os.system() calls, but I talked to rtucker out of band and they are going to be checked in to the repo after my tests are completed.
|
|
Assignee | |
Comment 7•12 years ago
|
||
I've patched all of the os.system calls to use popen.
Can you confirm and then we can close.
Thanks again for everything!
|
|
Reporter | |
Comment 8•12 years ago
|
||
Verified.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Group: webtools-security
|
||
Updated•5 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•