| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e09c5db3-51b5-992c-d3c4-9d1c5686f1a4@thelounge.net>
Date: Fri, 13 May 2016 17:51:42 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] runAV mod_security Remote Command Execution
Am 13.05.2016 um 17:30 schrieb Rio Sherri:
> # Title : runAV mod_security Remote Command Execution
> # Date : 13/05/2016
> # Author : R-73eN
> # Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP
> Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
> # Software :
> https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
> # Vendor : https://www.modsecurity.org/
> # https://www.infogen.al/
>
> sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
> The argv[1] parameter is passed unsanitized to a sprintf function
> which sends the formatted output to the cmd variable,
> which is later passed as a parameter to a run_cmd function on line 14
i don't think so because the temp-files of mod-security to inspect
uploads are not controlled by the client and don't contain anything in
their names which could be critical
Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists