Hide Forgot
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4796 to the following vulnerability: The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. NOTE: some of these details are obtained from third party information. References: http://sourceforge.net/forum/forum.php?forum_id=879959 http://jvn.jp/en/jp/JVN20502807/index.html http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html http://www.frsirt.com/english/advisories/2008/2901 http://secunia.com/advisories/32361
Snoopy library is also included in WordPress. WordPress was fixed upstream in version 2.6.3: http://wordpress.org/development/2008/10/wordpress-263/ Fedora updates: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9304 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9257
Tracking some potential issues with the proposed fix here: http://trac.mu.wordpress.org/ticket/782
There are some open questions with the proposed fix. I'm investigating.
Upstream CVS commit: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.24&r2=1.25
I will then push the wordpress 2.6.3 updates to stable.
wordpress-2.6.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.6.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Adding Jon to CC as well for moodle, which also contains embedded copy of Snoopy class. As mentioned by Bret before, this issue did not affect WordPress(-mu) before 2.6.3, as wordpress called escapeshellcmd on the whole curl command, not only URL part (but was modified to only escape URL in 2.6.3). Upstream Snoopy with the fix prevents command execution via URL, but it still allows execution via some other parameters, such as user agent or referrer specification. But those are unlikely to be controlled by the untrusted user, and is rather controlled by script author (or course, if this gets exposed in script using Snoopy, this can be attack vector as well). Escaping all command line arguments may result in some extraneous unintended escaping, such as */* -> \*/\* in Accept header. Cookies and form fields content does not seem to allow code execution, as they are urlencoded before being used as curl command line options. Last, but not least, none of moodle, wordpress or wordpress-mu (patched or unpatched) were really affected on common Fedora install. $curl_path defaults to /usr/local/bin/curl (and is not changed in any of the Fedora packages), so the affected curl call is never reached if binary specified by $curl_path is not found.
Looks like this was fixed in Moodle 1.9.3+ On 11/3. I'll update all versions with the current weekly build.
moodle-1.9.3-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc10
moodle-1.9.3-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/moodle-1.9.3-3.fc9
moodle-1.8.7-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/moodle-1.8.7-1.fc8
Built moodle-1.8.7-1 for EL-4 and EL-5 as well. Will contact rel-eng for push.
moodle-1.8.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
moodle-1.9.3-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
moodle-1.9.3-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 957481 has been marked as a duplicate of this bug. ***
This affects nagios
Created nagios tracking bugs for this issue Affects: fedora-all [bug 958302]
Created nagios tracking bugs for this issue Affects: epel-6 [bug 958305]
nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.