webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 03:33:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

{proxy,chpasswd}.cgi: Fix a remote code execution vulnerability

Browse Source 
Handcrafted requests with shell commands could be sent to these
CGI files and gain shell access as unprivileged user.

References: #11087

Reported-by: Yann Cam <yann.cam@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2016-04-04 16:41:30 +01:00
parent f367d5b388
commit 0aff7b8196
2 changed files with 16 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
html/cgi-bin/chpasswd.cgi
View File

@@ -20,6 +20,7 @@
############################################################################### ###############################################################################
use CGI qw(param); use CGI qw(param);
use Apache::Htpasswd;
use Crypt::PasswdMD5; use Crypt::PasswdMD5;
$swroot = "/var/ipfire"; $swroot = "/var/ipfire";
@@ -74,48 +75,25 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
$errormessage = $tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'}; $errormessage = $tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'};
goto ERROR; goto ERROR;
} }
if (! -z $userdb)
{
open FILE, $userdb;
@users = <FILE>;
close FILE;
$username = ''; my $htpasswd = new Apache::Htpasswd("$userdb");
$cryptpwd = '';
foreach (@users) # Check if a user with this name exists
{ my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'});
chomp; if (!$old_password) {
@temp = split(/:/,$_);
if ($temp[0] =~ /^$cgiparams{'USERNAME'}$/i)
{
$username = $temp[0];
$cryptpwd = $temp[1];
}
}
}
if ($username eq '')
{
$errormessage = $tr{'advproxy errmsg invalid user'}; $errormessage = $tr{'advproxy errmsg invalid user'};
goto ERROR; goto ERROR;
} }
if (
!(crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) && # Reset password
!(apache_md5_crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'},
) $cgiparams{'OLD_PASSWORD'})) {
{
$errormessage = $tr{'advproxy errmsg password incorrect'}; $errormessage = $tr{'advproxy errmsg password incorrect'};
goto ERROR; goto ERROR;
} }
$returncode = system("/usr/sbin/htpasswd -b $userdb $username $cgiparams{'NEW_PASSWORD_1'}");
if ($returncode == 0) $success = 1;
{ undef %cgiparams;
$success = 1;
undef %cgiparams;
} else {
$errormessage = $tr{'advproxy errmsg change fail'};
goto ERROR;
}
} }
ERROR: ERROR:

5
html/cgi-bin/proxy.cgi
View File

@@ -27,6 +27,7 @@
# #
use strict; use strict;
use Apache::Htpasswd;
# enable only the following on debugging purpose # enable only the following on debugging purpose
#use warnings; #use warnings;
@@ -4134,7 +4135,9 @@ sub adduser
close(FILE); close(FILE);
} else { } else {
&deluser($str_user); &deluser($str_user);
system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");
my $htpasswd = new Apache::Htpasswd("$userdb");
$htpasswd->htpasswd($str_user, $str_pass);
} }
if ($str_group eq 'standard') { open(FILE, ">>$stdgrp"); if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");