search

Odonel / globalban-spanish

Automatically exported from code.google.com/p/globalban-spanish
0 stars 0 forks source link

[Critical] Command execution vulnerability #24

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Well, the developer was informed 4 days ago about this vulnerability and he 
hasn't replied yet and he hasn't fixed the bug in the last update. It's time to 
publish.

File: /es/checkUser.php

[...]
$nameOfBanned = $_GET['name'];
[...]
$r->sendRconCommand("ma_chat ".$LANCHECKUSER_006.": ".$nameOfBanned." - 
\"".$steamId."\" | ".$bannedUser->getName()." | ".$LANCHECKUSER_007.": 
".$reasonQueries->getReason($bannedUser->getReasonId()));
[...]

So if the name of an ex-banned player is something like "asdf;rcon_password 
asdf;" he can change the rcon password. 

Fix:
$nameOfBanned = str_ireplace(array("\"", "\r\n", "\n", "\r", ";"), "", 
$nameOfBanned);

Best regards
Dark Session

Original issue reported on code.google.com by accz....@gmail.com on 16 May 2011 at 7:01

GoogleCodeExporter commented 9 years ago 
! sorry i haven't been informed, second my grandma on hospital so i didn't 
checked my email and the codepage. Will fix it now!!!! thx

Original comment by Mader6000@googlemail.com on 25 May 2011 at 7:12

GoogleCodeExporter commented 9 years ago

Original comment by Mader6000@googlemail.com on 25 May 2011 at 7:53