Ticket #294 (new defect)

Opened 7 weeks ago

Last modified 3 days ago

Rudi-Shell doesn't care about security level

Reported by: oliver Owned by:
Priority: normal Milestone: freetz-1.2
Component: webinterface Version: devel
Severity: normal Keywords: security
Cc: Blocked By:
Blocking: Product ID:
Firmware Version:

Description

Display Rudi-Shell in Webinterface only if according security level is set. Also it is possible to execute any code by clicking on a wrong url. Perhaps this "feature" should be disabled.

Attachments

rudi-shell.patch (0.8 KB) - added by Whoopie 3 days ago.
rudi-shell.jpg (74.7 KB) - added by Whoopie 3 days ago.

Change History

Changed 3 days ago by Whoopie

Changed 3 days ago by Whoopie

Changed 3 days ago by Whoopie

The attached patch tries to solve the first part of this ticket. Rudi shell is only shown if the security level is 0 (see rudi-shell.jpg).

How can we solve the second part? It should not be possible to open URLs like http://fritz.box:81/cgi-bin/rudi_shellcmd.cgi?script=echo+You+have+been+hacked.+Deleting...%3b+find+/ (thanks, Oliver ;)). Can we somehow achieve it that rudi_shellcmd.cgi can only be called from rudi_shell.cgi?

Note: See TracTickets for help on using tickets.