Module: kamailio Branch: master Commit: f81f0e77c5ab67431af1f62f0e027379a3445951 URL: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737… Author: Sandro Gauci &lt;sandro(a)enablesecurity.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2023-01-23T14:18:44+01:00 exec: docs - added security warning - Added warning about potential for OS Command Injection - Updated invalid examples previous example gives the following error: pv_parse_spec2(): error searching pvar "rU.txt" --- Modified: src/modules/exec/doc/exec_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737… Patch: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737… --- diff --git a/src/modules/exec/doc/exec_admin.xml b/src/modules/exec/doc/exec_admin.xml index fd0d88f4f5..93ea78cd87 100644 --- a/src/modules/exec/doc/exec_admin.xml +++ b/src/modules/exec/doc/exec_admin.xml @@ -77,6 +77,23 @@ Otherwise they will be evaluated as &kamailio; pseudo-variables, throwing errors. </para> + <para> + WARNING: if the exec functions are passed variables that might include + malicious input, then remote attackers may abuse the exec functions to + execute arbitrary code. Specifically, this may result in OS command injection. + In such cases, input validation is required to prevent the vulnerability. + The following is an example of how input validation and exec module + functions may be used together to prevent exploitation: + </para> + <programlisting format="linespecific"> +... +if !($rU =~ "^[0-9]{1,15}$") { + xlog("Malformed R-URI username: '$rU'\n"); + exit; +} +exec_msg("echo TEST >> /tmp/$(rU).txt"); +... + </programlisting> </section> <section> @@ -186,7 +203,7 @@ modparam("exec", "time_to_kill", 20) <programlisting format="linespecific"> ... exec_dset("echo TEST > /tmp/test.txt"); -exec_dset("echo TEST > /tmp/$rU.txt"); +exec_dset("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -225,7 +242,7 @@ exec_dset("echo TEST > /tmp/$rU.txt"); <programlisting format="linespecific"> ... exec_msg("echo TEST > /tmp/test.txt"); -exec_msg("echo TEST > /tmp/$rU.txt"); +exec_msg("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -300,7 +317,7 @@ exec_avp("echo TEST", "$avp(s:test)"); <programlisting format="linespecific"> ... exec_cmd("echo TEST > /tmp/test.txt"); -exec_cmd("echo TEST > /tmp/$rU.txt"); +exec_cmd("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -315,4 +332,3 @@ exec_cmd("echo TEST > /tmp/$rU.txt"); </para> </section> </chapter> -