alpine 3.7
shell weakness #4

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

ciwiki/src/ciwiki-2.0.5/src/wiki.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

    * There shouldn't need to be any..
   */
  if (strchr(page, '/'))
  {
    http_response_set_status(res, 404, "Not Found");
    http_response_printf(res, "<html><body>404 Not Found</body></html>\n");
    http_response_send(res);
    exit(0);
  }

  /* Safety issue. */
  if (Exec_allowed && !strcmp(page, ".Execute")) 
  {
    FILE *pop;
    int status;
    char string[256];
    
    string[255]='\0';
    status=0;
    //char* scriptname;
    char* scriptfullpath;
    
    /* exec file located in /scripts/ */
    asprintf(&scriptfullpath,"./scripts/%s",http_request_param_get(req, "Script"));
    if ( (pop = popen(scriptfullpath, "w")) )
    {
            http_response_printf(res, 
        "<html><body>\n");
      while (fgets(string, 255, pop) != NULL)
      {
        if (*string=='\0' || *string==EOF) break;
        http_response_printf(res, "%s\n",string);
        *string='\0';
      }
      status = pclose(pop);
      if (status==-1) printf("\nError in Execute\n");
      http_response_printf(res, 
        "</body></html>\n");
    }
    else
      http_response_printf(res, 
        "<html><body><strong>Cannot ls!</strong></body></html>\n");
      
    http_response_send(res);
  }
  else if (Upload_allowed && !strcmp(page, "Upload")) 
  {
    if (upload_status < -1)
        msg=strdup("<html><body>This file is too large!</body></html>\n");
    else if (upload_status == -1)     

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.