@edso > ... so parameter issues sound merely academic from a security point of view. > ...
Not so academic as you think , i could for example exploit the program Gufw with the legal parameter "disable" so the firewall went off, witch was not wanted and not shown in the gui. > ... there is the "ominous" we agn. ;) .... I used "we should ... " because it sounds so hard if i say "you have made some mistake" ... ;-) I can help patching, but i found more than 30 Shell Injections in other python scripts , so ... you are not the only ones ;-) My buglist where you can find some inspiration how the other ones fixed their bugs https://bugs.launchpad.net/~l-ubuntuone1104/+bugs?orderby=-importance&start=0 -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
