mirror of
https://git.sakamoto.pl/laudom/http.sh.git
synced 2025-08-09 23:13:33 +02:00
Compare commits
2 commits
ec6a0d81a9
...
7f0cd58986
| Author | SHA1 | Date | |
|---|---|---|---|
|
7f0cd58986 | ||
|
|
89c2850428 |
2 changed files with 15 additions and 4 deletions
11
docs/sec-fixes/2025-02-24_template.md
Normal file
11
docs/sec-fixes/2025-02-24_template.md
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
# 2025-02-24 Template injection leading to RCE
|
||||||
|
|
||||||
|
Between commits 4e6c5c0ba3af3d93a67961651db0906c6dfa686f (2024-07-17) and
|
||||||
|
89c285042835bec5cdd23128102dbeeba37bfa16 (2025-02-24), template.sh included
|
||||||
|
a code path which allowed an attacker to inject the delimeter (\x02) into
|
||||||
|
a rendered value, which coupled with using the `e` sed filter could lead to
|
||||||
|
remote code execution.
|
||||||
|
|
||||||
|
This vulnerability could only be triggered in apps using the subtemplate
|
||||||
|
feature. It arose due to an inconsistency with input sanitization between
|
||||||
|
including a raw value and including a raw value while recursing.
|
||||||
|
|
@ -7,7 +7,7 @@ function render() {
|
||||||
if [[ "$3" != true ]]; then
|
if [[ "$3" != true ]]; then
|
||||||
local template="$(tr -d $'\01'$'\02' < "$2" | sed 's/\&/<2F>UwU<77>/g')"
|
local template="$(tr -d $'\01'$'\02' < "$2" | sed 's/\&/<2F>UwU<77>/g')"
|
||||||
else
|
else
|
||||||
local template="$(cat "$2" | sed -E 's/\\/\\\\/g')"
|
local template="$(tr -d '$\02' < "$2" | sed -E 's/\\/\\\\/g')"
|
||||||
fi
|
fi
|
||||||
local -n ref=$1
|
local -n ref=$1
|
||||||
local tmp=$(mktemp)
|
local tmp=$(mktemp)
|
||||||
|
|
@ -29,12 +29,12 @@ function render() {
|
||||||
|
|
||||||
value+="$(render fdsa "$subtemplate" true)"
|
value+="$(render fdsa "$subtemplate" true)"
|
||||||
done
|
done
|
||||||
value="$(sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02' <<< "$value")"
|
value="$(tr -d '$\02' <<< "$value" | sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02')"
|
||||||
|
|
||||||
echo 's'$'\02''\{\{'"$key"'\}\}'$'\02'''"$value"''$'\02'';' >> "$tmp"
|
echo 's'$'\02''\{\{'"$key"'\}\}'$'\02'''"$value"''$'\02'';' >> "$tmp"
|
||||||
rm "$subtemplate"
|
rm "$subtemplate"
|
||||||
elif [[ "$key" == "@"* && "${ref["$key"]}" != '' ]]; then
|
elif [[ "$key" == "@"* && "${ref["$key"]}" != '' ]]; then
|
||||||
local value="$(sed -E 's/\&/<2F>UwU<77>/g' <<< "${ref["$key"]}")"
|
local value="$(tr -d $'\01\02' <<< "${ref["$key"]}" | sed -E 's/\&/<2F>UwU<77>/g')"
|
||||||
echo 's'$'\02''\{\{\'"$key"'\}\}'$'\02'''"$value"''$'\02''g;' >> "$tmp" #'
|
echo 's'$'\02''\{\{\'"$key"'\}\}'$'\02'''"$value"''$'\02''g;' >> "$tmp" #'
|
||||||
elif [[ "$key" == '?'* ]]; then
|
elif [[ "$key" == '?'* ]]; then
|
||||||
local _key="\\?${key/?/}"
|
local _key="\\?${key/?/}"
|
||||||
|
|
@ -53,7 +53,7 @@ function render() {
|
||||||
elif [[ "${ref["$key"]}" != "" ]]; then
|
elif [[ "${ref["$key"]}" != "" ]]; then
|
||||||
echo "VALUE: ${ref["$key"]}" > /dev/stderr
|
echo "VALUE: ${ref["$key"]}" > /dev/stderr
|
||||||
if [[ "$3" != true ]]; then
|
if [[ "$3" != true ]]; then
|
||||||
local value="$(html_encode <<< "${ref["$key"]}" | sed -E 's/\&/<2F>UwU<77>/g')"
|
local value="$(html_encode <<< "${ref["$key"]}" | tr -d $'\02' | sed -E 's/\&/<2F>UwU<77>/g')"
|
||||||
else
|
else
|
||||||
local value="$(echo -n "${ref["$key"]}" | tr -d $'\01'$'\02' | tr $'\n' $'\01' | sed -E 's/\\\\/<2F>OwO<77>/g;s/\\//g;s/<2F>OwO<77>/\\/g' | html_encode | sed -E 's/\&/<2F>UwU<77>/g')"
|
local value="$(echo -n "${ref["$key"]}" | tr -d $'\01'$'\02' | tr $'\n' $'\01' | sed -E 's/\\\\/<2F>OwO<77>/g;s/\\//g;s/<2F>OwO<77>/\\/g' | html_encode | sed -E 's/\&/<2F>UwU<77>/g')"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue