Hi,
I don't know, if anyone cares (or I'm overly paranoid), but there are
several php scripts in operators panel that unintentionally will give
you either complete shell access to the machine running the boinc server
or full mysql server access.
Example: html/ops/show_log.php
user parameters are passed completely unchecked to the passthru command
and sending a simple
"' && echo 'Hi folks"
as a regexp will show you, why I consider this rather aehm worrying :)
The file parameter doesn't check, if I walk around the directories, so
removing occurences of ".." and "~" and the like should be a must.
At the very least, please change the end of the file to something like
this:
------> snipp <-----
$f = str_replace("..", "", $f);
$f = str_replace("~", "", $f);
if (strlen($f)) {
$f = "../log*/". $f;
} else {
$f = "../log*/*.log";
}
if ($s) {
chdir($log_dir);
passthru("../bin/grep_logs -html -l $l ".
escapeshellcmd($s) . " " . join(" ", glob($f)) . " 2>&1");
}
------> snipp <-----
Next candidate: db_form.php
There is this very promising "Additional clauses" parameter which will
happily add anything to the search sql query I like.
Needless to say, that I can send arbitrary sql commands to the server
either using subselects or some other escape trickery.
To be honest: does anyone use that feature? If I were you I'd remove it
completely...
I haven't looked into all files, those I found just by accident...
Cheers,
Peter
--
To kick or not to kick... -- Somewhere on IRC, inspired by Shakespeare
_______________________________________________
boinc_dev mailing list
[email protected]
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.
