[VIM] WebMplayer "eval injection" is actually OS command injection
Steven M. Christey
coley at mitre.org
Tue Feb 27 12:08:59 EST 2007
Ref: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=486880&group_id=172354
The statement "index.php: Bugfix: $val must be numeric, so no other
can be commands inserted" has apparently been interpreted as eval
injection by some sources (and a "param" parameter), but a code review
for index.php in 0.6alpha shows:
while(list($param) = each($_GET)){
if(isset($_GET[$param])){$val = $_GET[$param];}
if (!empty($val)){
exec($aumix." -".$param." ".$val);
}
}
$aumix is an executable.
The "empty($val)" statement was fixed to:
if (!empty($val) && is_numeric($val)){
So:
1) This is "OS Command Injection" by shell metacharacters in the
exec(), with no escapeshellarg/escapeshellcmd.
2) "param" is not a parameter name at all, except the code seems to
allow arbitrarily-named parameters, so maybe "param" would actually
work.
- Steve
More information about the VIM
mailing list