Page MenuHomeVyOS Platform
Create Task
Maniphest T1010

improper pid file handling of webgui
Closed, ResolvedPublicBUG
Actions

Description

since the webgui is suid root, any unprivileged user (however they might get onto the system) might arbitrarily overwrite any file:

frr@fw0:~$ /usr/lib/cgi-bin-webgui -i /etc/resolv.conf
^C
frr@fw0:~$ cat /etc/resolv.conf
5947
frr@fw0:~$

don't know if that could be exploited to gain admin rights, but at least could hose the system.

Details

Version
1.2.0-rc7
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

buzzdeee created this task.Nov 14 2018, 10:36 AM
buzzdeee changed the visibility from "Public (No Login Required)" to "All Users".Nov 14 2018, 10:38 AM
syncer assigned this task to dmbaturin.Nov 14 2018, 1:05 PM
syncer changed the visibility from "All Users" to "Public (No Login Required)".
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin please remove all related

syncer triaged this task as Low priority.Nov 14 2018, 1:06 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
pasik subscribed.Dec 16 2018, 11:22 AM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 21 2018, 10:07 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA2); removed VyOS 1.2 Crux ( VyOS 1.2.0-EPA).Jan 1 2019, 6:10 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux (VyOS 1.2.0-EPA2).Jan 3 2019, 1:54 PM
syncer reassigned this task from dmbaturin to hagbard.Feb 7 2019, 11:23 PM
syncer raised the priority of this task from Low to Normal.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.2); removed VyOS 1.2 Crux (VyOS 1.2.0-EPA3).
syncer added a subscriber: hagbard.

@hagbard we need to remove all old stuff including lightttpd
we going to replace it with nginx as per T808

hagbard changed the task status from Open to In progress.Feb 8 2019, 7:36 PM
hagbard added a comment.EditedFeb 9 2019, 11:05 AM
hagbard closed this task as Resolved.Feb 9 2019, 10:16 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.2) board.Aug 31 2019, 3:41 AM
syncer added a project: VyOS 1.3 Equuleus.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 6:24 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin set Issue type to Unspecified (please specify).