Network/Ifaces.pm contains:
# FIXME: not good to pass directly keys to processes,
# probably the network one won't be so important
# to keep secret to other users.
$output = &Utils::File::run_backtick ("wpa_passphrase $essid $key");
Confirmed $key and $essid are user controllable. Checked other
occurrences of run_backtick(), and arguments are not user controllable.
Users/Groups.pm doesn't do checking either, blackbox testing indicates
the front-end does.
** Changed in: system-tools-backends (Ubuntu)
Status: New => Confirmed
** Visibility changed to: Public
--
breakage and possible execution of unsafe code with shell metacharacters
https://bugs.launchpad.net/bugs/190628
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
