Open itechpartners opened 4 months ago
soniasingla
commented
4 months ago @itechpartners 👋 Thank you for bringing this issue to our attention. I am currently investigating the problem and will provide updates as soon as I have more information 🤗
mssabr01
commented
4 months ago @itechpartners Can you provide a proof of concept of how this can be exploited? The CLI is designed to be run locally and not be accessible from the internet. In this use case, an attacker can just enter commands into bash without interacting with the operator CLI at all
itechpartners
commented
3 months ago Hello Mehdi and Team, The objective is to prevent any package or process from running on the Shardeum shell. I could create files and directories on the /app$ shell, but when I tried executing packages, there were running on the system kernel. I will say the risk is minimal, but allowing only applicable commands to execute on the Sharduem shell in future versions will be a good practice. Kind regards,Charles AsiafaEmail: @. On Tuesday, June 18, 2024 at 08:14:11 PM GMT+1, Mehdi Sabraoui @.> wrote:
@itechpartners Can you provide a proof of concept of how this can be exploited? The CLI is designed to be run locally and not be accessible from the internet. In this use case, an attacker can just enter commands into bash without interacting with the operator CLI at all
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
Hello Team, I identified something which I believe is an opportunity for security improvement.
The operator-cli environment allows other commands to be executed successfully within the shell environment. This should be restricted to allow only required and applicable commands that are specific to Shardeum
I will suggest that any command except the ones listed by Sharduem shouldnot be allowed to execute within the operator cli-environment
CLI part of the operator dashboard Commands: status stake_info
start stop [options] stake