search

NASA-PDS / PLAID

APPS PDS Label Assistant for Interactive Design (PLAID). See an overview of the software on YouTube. https://www.youtube.com/watch?v=WCo8erW_rL8
https://plaid.jpl.nasa.gov
Other
9 stars 0 forks source link

`call_user_func` executes unfiltered arguments from http client #34

Closed nutjob4life closed 2 years ago

nutjob4life commented 2 years ago

Vulnerability

In 9 places in the PLAID source code, call_user_func and call_user_func_array appear. In at least 3 of those locations, the first argument (the name of the function to call) is passed in from the HTTP client; for example:

if(isset($_POST['Function'])){
    $DOC = readInXML(getLabelXML());
    call_user_func($_POST['Function'], $_POST['Data']);
}

No checking is performed before making this call. A client could construct a specially formulated POST payload to execute an arbitrary PHP function with an arbitrary argument, such as system with rm -rf /. As a proof of concept, I was able to execute phpinfo() as well as pcntl_exec().

Software Version

main as of 2022-01-04.

nutjob4life commented 2 years ago

For more background see https://owasp.org/www-community/attacks/Function_Injection

jordanpadams commented 2 years ago

@nutjob4life similar question to https://github.com/NASA-PDS/PLAID/issues/32, but this one definitely sounds like a security vulnerability we need to fix?

nutjob4life commented 2 years ago

@jordanpadams yeah, this one's bad. It should be addressed as soon as possible, especially if it's running on any public-facing sites.

stirlingalgermissen commented 2 years ago

this one is pretty bad, nice job catching it