[Vtigercrm-developers] [CRITICAL] possible code injection vulnerability
Enrico Weigelt
weigelt at metux.de
Tue Jun 26 13:08:29 PDT 2007
* J Zakhar <john at tantor.com> schrieb:
> Should it not be $_REQUEST['var']; ?
Both are valid.
> Second, using that array, you have to form post to the page for the
> variables in $_REQUEST/$_POST/$_GET to get filled.
$_REQUEST contains both, from $_GET and $_POST (aka independent
from request method).
> I just tested it here and the original poster is correct, if you drop in
> your own action you can get a remote code execution situation.
>
> Yeah in the code we have
>
> $action = '';
> if(isset($_REQUEST['action']))
> {
> $action = $_REQUEST['action'];
> }
we should put something like
(preg_match('~([A-Za-z_\.]+)~,$_REQUEST{'action'},$xxx)
&& ($action = $xxx[1]));
in here.
Same w/ $module + friends here.
cu
--
---------------------------------------------------------------------
Enrico Weigelt == metux IT service
phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: contact at metux.de
cellphone: +49 174 7066481
---------------------------------------------------------------------
-- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
---------------------------------------------------------------------
More information about the vtigercrm-developers
mailing list