Am 13.05.2016 um 17:30 schrieb Rio Sherri:
# Title : runAV mod_security Remote Command Execution # Date : 13/05/2016 # Author : R-73eN # Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux # Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV # Vendor : https://www.modsecurity.org/ # https://www.infogen.al/
> > sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); > The argv[1] parameter is passed unsanitized to a sprintf function > which sends the formatted output to the cmd variable, > which is later passed as a parameter to a run_cmd function on line 14i don't think so because the temp-files of mod-security to inspect uploads are not controlled by the client and don't contain anything in their names which could be critical
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
