[Security] Command injection vulnerability

[eldstal]

Security advisory

A command injection vulnerability exists in OpenWB in all versions between Jan 29, 2021 and the current version (Feb 03, 2024). The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with full root privileges.

Details removed

[Speedy1991]

Can you please not post those stuff in a public visible scope?

This is like a CVE10 - an attacker may obtain full root access to the machine. Please take down the steps to reproduce and offer an email on the README to report security issues.

Also see this github notes about security reporting.

As a softwareengeneer myself: I love my openWb but your project managment and your developement pipeline really needs some careful review.

[eldstal]

Yes. Github offers a mechanism for private submission of vulnerability reports, but it requires that the repository maintainers set up a security policy. This enables an interface for submitting something similar to a regular issue, but visible only to the maintainers until they are ready to disclose the vulnerability publicly. It is a good idea to have a public policy for vulnerability reports, so that researchers know where to send their reports.

Since the project has no policy I can find (and nothing in README.md about where security reports should be submitted), and has previously accepted a similar report, I reported the issue here.

I understand the purpose of redacting the report, and will do so if the maintainers decide that this is best. Please be aware, however, that this vulnerability and how to exploit it will be quite obvious from reading the patch. Once the fix is published, the cat is out of the bag. At that point, it makes a lot more sense to properly disclose to users that there was in fact a vulnerability. This is the purpose of a CVE entry.