From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZBC3Q4h07z36V4 for ; Mon, 10 Mar 2025 09:56:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZBC3L6qh6z33wT for ; Mon, 10 Mar 2025 09:56:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZBC3L40Xzzjj; Mon, 10 Mar 2025 09:56:46 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741600606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vMLJwdm04SvbbRrZyMu1ROHHTNDvckzWU4/PBsV/JUE=; b=8osoV6Pbz3POliRo0YeaiCiWvHiXL52SfKo8sR36XToM26Bxji+R8HCaskeMMVVnBhSD5q KggBCCVjfFSL28CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741600606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vMLJwdm04SvbbRrZyMu1ROHHTNDvckzWU4/PBsV/JUE=; b=gyM61h2bohffRucS0HBD6NdqeQYLyHppklWDtd/vssEfoKA0pnnvYnF0kvEaya4w6GLcYq ftJjqSQCQn1lv5nL2qPSCoe0gTBWH106c2Z35iW1t59IMfB+cFdXZRl2Wm0ATcJAjvEg/x /5jKQ+6OQXFWeoE9af+TVwruuoqq8iOoG+3g+SijqZApYMPTVBfbgcQr/6YV1JV8OTIZS8 bLEcr3BpPipwMMRs/e1F1mk+XixJV2Th4Vz8RH2tmOi5y28eJQP2zl2Owlwhs6JOgqJSwV xmIejJUWvnIWOUJXoyoPw9S0XWSBiy37ikJEyOIhDOOMo/Y7kTT90Am60bpMDQ== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH 1/2] vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon From: Michael Tremer In-Reply-To: <20250309141209.18633-1-adolf.belka@ipfire.org> Date: Mon, 10 Mar 2025 09:56:46 +0000 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250309141209.18633-1-adolf.belka@ipfire.org> To: Adolf Belka Hello Adolf, Oh this is bad. Not the patch, what we have there before=E2=80=A6 I would say I will accept this patch as it is because it slightly = mitigates the problem. However, there is still a chance to run shell = commands using backticks and $(=E2=80=A6). Would you be able to rewrite this command to use one of the = &General::system* commands? That way, there will no command injection be = possible any more and we can in theory allow quotes and semicolons = again. Best, -Michael > On 9 Mar 2025, at 14:12, Adolf Belka wrote: >=20 > - The password for the pkcs12 certificate is passed to the open ssl = command via $opt but > it is not quoted and so the ; is taken as the end of the command = rather than as part > of the password. This also means that a pkcs12 file is not created = and the .pem > intermediate file is what is left in the directory. > - This patch makes the -passout option quoted in the same way as the = -name and -caname > options. > - Based on being the same as the name and caname parts in $opt, I = believe that this should > not give rise to a vulnerability but I am open to being corrected. > - By quoting the -passout then the password must not contain double = quotation marks, ", > so a test for the password containing a " has been added. > - The message about the use of the double quotation mark has been = added to the english, > dutch and german language files. Feel free to correct if what I have = used is not > correct. Those are in the other patch of this patch set. > - Tested out on my testbed system. I was able to create a pkcs12 = certificate with a > password containing a variety of characters, including the = semicolon, and getting > a message that the password contains a double quotation mark when I = used that. >=20 > Fixes: bug12298 > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > html/cgi-bin/vpnmain.cgi | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > mode change 100755 =3D> 100644 html/cgi-bin/vpnmain.cgi >=20 > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > old mode 100755 > new mode 100644 > index c9bbbb494..8106ee24e > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -2149,6 +2149,10 @@ END > $errormessage =3D $Lang::tr{'password too short'}; > goto VPNCONF_ERROR; > } > + if ($cgiparams{'CERT_PASS1'} =3D~ /["]/) { > + $errormessage =3D $Lang::tr{'password has quotation mark'}; > + goto VPNCONF_ERROR; > + } > if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { > $errormessage =3D $Lang::tr{'passwords do not match'}; > goto VPNCONF_ERROR; > @@ -2226,7 +2230,7 @@ END > $opt .=3D " -inkey = ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > $opt .=3D " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > $opt .=3D " -name \"$cgiparams{'NAME'}\""; > - $opt .=3D " -passout pass:$cgiparams{'CERT_PASS1'}"; > + $opt .=3D " -passout pass:\"$cgiparams{'CERT_PASS1'}\""; > $opt .=3D " -certfile ${General::swroot}/ca/cacert.pem"; > $opt .=3D " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; > $opt .=3D " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; > --=20 > 2.48.1 >=20 >=20