search

PhilippEngler / eufy-security-hm

AddOn for HomeMatic CCU and compatible devices to interact with eufy security devices.
MIT License
13 stars 2 forks source link

Security issue in update-check.cgi #11

Closed jens-maus closed 1 year ago

jens-maus commented 1 year ago

Please compare the following

https://github.com/PhilippEngler/eufy-security-hm/blob/d449d3532690ce32a46fe0db10d6f61153285aec/addon/eufySecurity/www/update-check.cgi#L10

with

https://github.com/homematic-community/hm_pdetect/blob/master/addon/www/update-check.cgi#L10

and note that parsing the QUERY_STRING like this is a security risk. Thus, please adapt to the latest versions of update-check.cgi which is used in other CCU addon projects.

See here for the complete change history of update-check.cgi in the hm_pdetect addon project:

https://github.com/homematic-community/hm_pdetect/commit/d6f42617cfacb3e9ceac09a2a642e1c3e4dc87ad

PhilippEngler commented 1 year ago

Thank you, @jens-maus. It will be updated in the next version (commit 528).