Bug 469320 (CVE-2008-4796) - CVE-2008-4796 snoopy: command execution via shell metacharacters
Summary: CVE-2008-4796 snoopy: command execution via shell metacharacters
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4796
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: impact=important,public=20081031,repo...
: 957481 (view as bug list)
Depends On: 958302 958305 958308
Blocks: 958515
TreeView+ depends on / blocked
 
Reported: 2008-10-31 09:38 UTC by Tomas Hoger
Modified: 2019-06-08 12:37 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-10 00:58:50 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-10-31 09:38:51 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4796 to the following vulnerability:

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
and earlier allows remote attackers to execute arbitrary commands via
shell metacharacters in https URLs. NOTE: some of these details are
obtained from third party information.

References:
http://sourceforge.net/forum/forum.php?forum_id=879959
http://jvn.jp/en/jp/JVN20502807/index.html
http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html
http://www.frsirt.com/english/advisories/2008/2901
http://secunia.com/advisories/32361

Comment 1 Tomas Hoger 2008-10-31 09:42:12 UTC
Snoopy library is also included in WordPress.  WordPress was fixed upstream in version 2.6.3:
  http://wordpress.org/development/2008/10/wordpress-263/

Fedora updates:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9304
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9257

Comment 2 Bret McMillan 2008-10-31 13:40:49 UTC
Tracking some potential issues with the proposed fix here:

http://trac.mu.wordpress.org/ticket/782

Comment 5 Bret McMillan 2008-10-31 15:28:52 UTC
There are some open questions with the proposed fix.  I'm investigating.

Comment 7 Adrian Reber 2008-11-05 11:15:49 UTC
I will then push the wordpress 2.6.3 updates to stable.

Comment 8 Fedora Update System 2008-11-07 02:51:51 UTC
wordpress-2.6.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-11-07 02:54:29 UTC
wordpress-2.6.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-11-07 11:13:44 UTC
Adding Jon to CC as well for moodle, which also contains embedded copy of Snoopy class.

As mentioned by Bret before, this issue did not affect WordPress(-mu) before 2.6.3, as wordpress called escapeshellcmd on the whole curl command, not only URL part (but was modified to only escape URL in 2.6.3).

Upstream Snoopy with the fix prevents command execution via URL, but it still allows execution via some other parameters, such as user agent or referrer specification.  But those are unlikely to be controlled by the untrusted user, and is rather controlled by script author (or course, if this gets exposed in script using Snoopy, this can be attack vector as well).  Escaping all command line arguments may result in some extraneous unintended escaping, such as */* -> \*/\* in Accept header.

Cookies and form fields content does not seem to allow code execution, as they are urlencoded before being used as curl command line options.

Last, but not least, none of moodle, wordpress or wordpress-mu (patched or unpatched) were really affected on common Fedora install.  $curl_path defaults to /usr/local/bin/curl (and is not changed in any of the Fedora packages), so the affected curl call is never reached if binary specified by $curl_path is not found.

Comment 11 Gwyn Ciesla 2008-11-07 13:44:47 UTC
Looks like this was fixed in Moodle 1.9.3+ On 11/3.  I'll update all versions with the current weekly build.

Comment 12 Fedora Update System 2008-11-07 16:22:28 UTC
moodle-1.9.3-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc10

Comment 13 Fedora Update System 2008-11-07 16:23:22 UTC
moodle-1.9.3-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc9

Comment 14 Fedora Update System 2008-11-07 18:20:44 UTC
moodle-1.8.7-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/moodle-1.8.7-1.fc8

Comment 15 Gwyn Ciesla 2008-11-07 19:10:50 UTC
Built moodle-1.8.7-1 for EL-4 and EL-5 as well.  Will contact rel-eng for push.

Comment 16 Fedora Update System 2008-11-08 02:10:52 UTC
moodle-1.8.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2008-11-08 02:11:12 UTC
moodle-1.9.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2008-11-22 16:45:11 UTC
moodle-1.9.3-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Kurt Seifried 2013-04-30 20:50:47 UTC
*** Bug 957481 has been marked as a duplicate of this bug. ***

Comment 20 Kurt Seifried 2013-04-30 20:53:32 UTC
This affects nagios

Comment 21 Kurt Seifried 2013-04-30 20:55:38 UTC
Created nagios tracking bugs for this issue

Affects: fedora-all [bug 958302]

Comment 22 Kurt Seifried 2013-04-30 20:57:08 UTC
Created nagios tracking bugs for this issue

Affects: epel-6 [bug 958305]

Comment 24 Fedora Update System 2015-12-05 20:30:14 UTC
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.