Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote Code Exectuion via unescaped parameter in generateString function #433

Closed
d90pwn opened this issue May 8, 2020 · 2 comments
Closed

Remote Code Exectuion via unescaped parameter in generateString function #433

d90pwn opened this issue May 8, 2020 · 2 comments
Labels
severity:security Affects security type:bug Bug
Milestone
2.2.2

Comments

@d90pwn
Copy link

d90pwn commented May 8, 2020

I found an issue that causes Remote Code Execution by improper input validation in a $this->messageCategory variable.

As a result, a remote attacker with an access to https://localhost/gii/ endpoint can execute arbitrary PHP code to template file, and then run it.

To fix issue, we can replace the $str = "Yii::t('" . $this->messageCategory . "', '" . $string . "'" . $ph . ")";
to $str = "Yii::t('" . addslashes($this->messageCategory) . "', '" . $string . "'" . $ph . ")";
in a file:

yii2-gii/src/Generator.php

Line 505 in ee4d072

$str = "Yii::t('" . $this->messageCategory . "', '" . $string . "'" . $ph . ")";

@schmunk42
Copy link
Contributor

Or a better validation here:

yii2-gii/src/generators/model/Generator.php

Line 95 in 6c63058

[['messageCategory'], 'validateMessageCategory', 'skipOnEmpty' => false],

@samdark samdark added this to the 2.2.2 milestone May 10, 2020
@samdark samdark added type:bug Bug status:ready for adoption Feel free to implement this issue. labels May 10, 2020
@samdark
Copy link
Member

samdark commented May 10, 2020

First of all, thanks for reporting it.

  1. I don't consider it a huge security issue since Gii should not be enabled on production ever. That's an easy way to disrupt the project by rewriting custom code with generated one.
  2. It's good to have it fixed nevertheless.
  3. @schmunk42 solution fits it better, I think.

@samdark samdark added the severity:security Affects security label May 5, 2021
samdark added a commit that referenced this issue May 5, 2021
@samdark
Fix #433: Fix insufficient category validation
4cdb5e0
@samdark samdark removed the status:ready for adoption Feel free to implement this issue. label May 5, 2021
@samdark samdark mentioned this issue May 5, 2021
Merged
@samdark samdark closed this as completed in ed61e0d May 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
severity:security Affects security type:bug Bug
Projects
None yet
Milestone
2.2.2
Development

No branches or pull requests
3 participants
@samdark @schmunk42 @d90pwn