•  
      request #10397 OS command injection through a filename when the file's history is displayed in the web Git browser
    Infos
    #10397
    Thomas Gerbet (tgerbet)
    2017-09-18 08:59
    2017-07-03 15:40
    10646
    Details
    OS command injection through a filename when the file's history is displayed in the web Git browser

    A command injection can be achieved by users that are able commit files in a Git repo.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    1. Create a repo
    2. Create a file named | echo Tuleap > ${PATH:0:1}tmp${PATH:0:1}injectpoc, commit and push the file to the repo you have created
    3. Access to the file history with the web Git browser
    4. A file /tmp/injectpoc is created

    References

    CVE-2017-1000214

    CWE-78

    SCM/Git
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-07-05
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-08-23 19:34
    CVE-2017-1000214 has been assigned by the DWF project to this vulnerability.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Integrated into Tuleap 9.9.99.85

    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2017-07-05
    User avatar
    Thomas Gerbet (tgerbet)2017-07-05 14:36
    pr #59 has been integrated, package publication in the repository is waiting for the next publication.

    I'm going to propose a contribution so that people only doing the update with yum update tuleap\* are forced to also get the updated GitPHP package.