Red Hat Bugzilla – Bug 15211
connection names not checked for shell escapes
Last modified: 2008-05-01 11:37:57 EDT
Maybe Security problem:
rp3 / rp3-config doesnt properly check the buffer contents for special characters. Result: Anyone that can start rp3-config or rename a
connection name can run an arbitrary command as root.
As you seem to need the root pass to start rp3-config things arent too terrible, but this could still have bad side effects.
Do this: start rp3-config, as connection name use <something>&<command>
then try to start or stop that connection with rp3. <command> will be run as root. Happened originally when my connection was called "at&t"...
I suggest this should be fixed if there is any way a user or skript could ever provide a provider name to rp3.
This will be fixed in CVS and in rp3-1.1.2-5 and later. All shell
metacharacters will now be quoted.
*** Bug 16488 has been marked as a duplicate of this bug. ***