mirror of
https://git.sakamoto.pl/laudom/http.sh.git
synced 2025-09-17 15:33:44 +02:00
11 lines
584 B
Markdown
11 lines
584 B
Markdown
# 2025-02-24 Template injection leading to RCE
|
|
|
|
Between commits 4e6c5c0ba3af3d93a67961651db0906c6dfa686f (2024-07-17) and
|
|
89c285042835bec5cdd23128102dbeeba37bfa16 (2025-02-24), template.sh included
|
|
a code path which allowed an attacker to inject the delimeter (\x02) into
|
|
a rendered value, which coupled with using the `e` sed filter could lead to
|
|
remote code execution.
|
|
|
|
This vulnerability could only be triggered in apps using the subtemplate
|
|
feature. It arose due to an inconsistency with input sanitization between
|
|
including a raw value and including a raw value while recursing.
|