Closed nutjob4life closed 2 years ago
For more background see https://owasp.org/www-community/attacks/Function_Injection
@nutjob4life similar question to https://github.com/NASA-PDS/PLAID/issues/32, but this one definitely sounds like a security vulnerability we need to fix?
@jordanpadams yeah, this one's bad. It should be addressed as soon as possible, especially if it's running on any public-facing sites.
this one is pretty bad, nice job catching it
Vulnerability
In 9 places in the PLAID source code,
call_user_func
andcall_user_func_array
appear. In at least 3 of those locations, the first argument (the name of the function to call) is passed in from the HTTP client; for example:No checking is performed before making this call. A client could construct a specially formulated POST payload to execute an arbitrary PHP function with an arbitrary argument, such as
system
withrm -rf /
. As a proof of concept, I was able to executephpinfo()
as well aspcntl_exec()
.Software Version
main
as of 2022-01-04.