Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/admin/src/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4673/ldap/admin/src/scripts
Modified Files: Tag: Directory71RtmBranch template-repl-monitor-cgi.pl Log Message: Resolves: RHSA-2008:0199 Description: A shell command injection flaw in the Red Hat Administration Server replication monitor CGI script could be exploited by an attacker to execute arbitrary shell commands with root privileges.
Index: template-repl-monitor-cgi.pl =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/Attic/template-repl-monitor-cgi.pl,v retrieving revision 1.4 retrieving revision 1.4.2.1 diff -u -r1.4 -r1.4.2.1 --- template-repl-monitor-cgi.pl 19 Apr 2005 22:07:00 -0000 1.4 +++ template-repl-monitor-cgi.pl 30 Apr 2008 18:28:25 -0000 1.4.2.1 @@ -40,33 +40,40 @@
use Cgi;
-$params = ""; -$params .= " -h $cgiVars{'servhost'}" if $cgiVars{'servhost'}; -$params .= " -p $cgiVars{'servport'}" if $cgiVars{'servport'}; -$params .= " -f $cgiVars{'configfile'}" if $cgiVars{'configfile'}; -$params .= " -t $cgiVars{'refreshinterval'}" if $cgiVars{'refreshinterval'}; -if ($cgiVars{'admurl'}) { - $admurl = "$cgiVars{'admurl'}"; - if ( $ENV{'QUERY_STRING'} ) { - $admurl .= "?$ENV{'QUERY_STRING'}"; - } - elsif ( $ENV{'CONTENT_LENGTH'} ) { - $admurl .= "?$Cgi::CONTENT"; - } - $params .= " -u "$admurl""; -} -$siteroot = $cgiVars{'siteroot'}; +@ARGV = (); # clear it out +my $configfile = $ENV{ADMSERV_ROOT} . "/replmon.conf"; +push @ARGV, '-f', $configfile; + +my $refreshinterval = $cgiVars{'refreshinterval'} ? int($cgiVars{'refreshinterval'}) : "300"; +push @ARGV, '-t', $refreshinterval; + +my $siteroot = $ENV{NETSITE_ROOT}; $perl = "$siteroot/bin/slapd/admin/bin/perl"; $ENV{'LD_LIBRARY_PATH'} = "$siteroot/lib:$siteroot/lib/nsPerl5.005_03/lib";
-# Save user-specified parameters as cookies in monreplication.properties. -# Sync up with the property file so that monreplication2 is interval, and -# monreplication3 the config file pathname. -$propertyfile = "$siteroot/bin/admin/admin/bin/property/monreplication.properties"; -$edit1 = "s#monreplication2=.*#monreplication2=$cgiVars{'refreshinterval'}#;"; -$edit2 = "s#^monreplication3=.*#monreplication3=$cgiVars{'configfile'}#;"; -system("$perl -p -i.bak -e "$edit1" -e "$edit2" $propertyfile"); +my $admurl = "http://"; +if ($ENV{HTTPS} and (lc($ENV{HTTPS}) eq "on")) { + $admurl = "https://"; +} +$admurl .= $ENV{HTTP_HOST} . $ENV{SCRIPT_NAME} . "?refreshinterval=$refreshinterval"; +push @ARGV, '-u', $admurl; + +if ($configfile and -f $configfile) { + # have to grab the first host from it + if (open(CONFFILE, $configfile)) { + while (<CONFFILE>) { + next if (/^#/); # skip comments + next if (/^\s*$/); # skip blank lines + next if (/^[/); # skip sections + my ($host, $port, $rest) = split(/:/); + push @ARGV, '-h', $host; + push @ARGV, '-p', $port; + last; + } + close CONFFILE; + } +}
# Now the real work $replmon = "$siteroot/bin/slapd/admin/scripts/template-repl-monitor.pl"; -system("$perl $replmon $params"); +exec $perl, $replmon, @ARGV;
389-commits@lists.fedoraproject.org