Bug 469320 - (CVE-2008-4796) CVE-2008-4796 snoopy: command execution via shell metacharacters
CVE-2008-4796 snoopy: command execution via shell metacharacters
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=important,public=20081031,repo...
: Reopened, Security
: 957481 (view as bug list)
Depends On: 958302 958305 958308
Blocks: 958515
  Show dependency treegraph
 
Reported: 2008-10-31 05:38 EDT by Tomas Hoger
Modified: 2016-09-16 01:11 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 20:58:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-10-31 05:38:51 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4796 to the following vulnerability:

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
and earlier allows remote attackers to execute arbitrary commands via
shell metacharacters in https URLs. NOTE: some of these details are
obtained from third party information.

References:
http://sourceforge.net/forum/forum.php?forum_id=879959
http://jvn.jp/en/jp/JVN20502807/index.html
http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html
http://www.frsirt.com/english/advisories/2008/2901
http://secunia.com/advisories/32361
Comment 1 Tomas Hoger 2008-10-31 05:42:12 EDT
Snoopy library is also included in WordPress.  WordPress was fixed upstream in version 2.6.3:
  http://wordpress.org/development/2008/10/wordpress-263/

Fedora updates:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9304
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9257
Comment 2 Bret McMillan 2008-10-31 09:40:49 EDT
Tracking some potential issues with the proposed fix here:

http://trac.mu.wordpress.org/ticket/782
Comment 5 Bret McMillan 2008-10-31 11:28:52 EDT
There are some open questions with the proposed fix.  I'm investigating.
Comment 7 Adrian Reber 2008-11-05 06:15:49 EST
I will then push the wordpress 2.6.3 updates to stable.
Comment 8 Fedora Update System 2008-11-06 21:51:51 EST
wordpress-2.6.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-11-06 21:54:29 EST
wordpress-2.6.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-11-07 06:13:44 EST
Adding Jon to CC as well for moodle, which also contains embedded copy of Snoopy class.

As mentioned by Bret before, this issue did not affect WordPress(-mu) before 2.6.3, as wordpress called escapeshellcmd on the whole curl command, not only URL part (but was modified to only escape URL in 2.6.3).

Upstream Snoopy with the fix prevents command execution via URL, but it still allows execution via some other parameters, such as user agent or referrer specification.  But those are unlikely to be controlled by the untrusted user, and is rather controlled by script author (or course, if this gets exposed in script using Snoopy, this can be attack vector as well).  Escaping all command line arguments may result in some extraneous unintended escaping, such as */* -> \*/\* in Accept header.

Cookies and form fields content does not seem to allow code execution, as they are urlencoded before being used as curl command line options.

Last, but not least, none of moodle, wordpress or wordpress-mu (patched or unpatched) were really affected on common Fedora install.  $curl_path defaults to /usr/local/bin/curl (and is not changed in any of the Fedora packages), so the affected curl call is never reached if binary specified by $curl_path is not found.
Comment 11 Jon Ciesla 2008-11-07 08:44:47 EST
Looks like this was fixed in Moodle 1.9.3+ On 11/3.  I'll update all versions with the current weekly build.
Comment 12 Fedora Update System 2008-11-07 11:22:28 EST
moodle-1.9.3-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc10
Comment 13 Fedora Update System 2008-11-07 11:23:22 EST
moodle-1.9.3-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc9
Comment 14 Fedora Update System 2008-11-07 13:20:44 EST
moodle-1.8.7-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/moodle-1.8.7-1.fc8
Comment 15 Jon Ciesla 2008-11-07 14:10:50 EST
Built moodle-1.8.7-1 for EL-4 and EL-5 as well.  Will contact rel-eng for push.
Comment 16 Fedora Update System 2008-11-07 21:10:52 EST
moodle-1.8.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2008-11-07 21:11:12 EST
moodle-1.9.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2008-11-22 11:45:11 EST
moodle-1.9.3-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Kurt Seifried 2013-04-30 16:50:47 EDT
*** Bug 957481 has been marked as a duplicate of this bug. ***
Comment 20 Kurt Seifried 2013-04-30 16:53:32 EDT
This affects nagios
Comment 21 Kurt Seifried 2013-04-30 16:55:38 EDT
Created nagios tracking bugs for this issue

Affects: fedora-all [bug 958302]
Comment 22 Kurt Seifried 2013-04-30 16:57:08 EDT
Created nagios tracking bugs for this issue

Affects: epel-6 [bug 958305]
Comment 24 Fedora Update System 2015-12-05 15:30:14 EST
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.