Is it safe to use eval on user input? about gargoyle HOT 10 CLOSED

Further, haserl filters these variables into the environment. So if there's a vulnerability it likely exists at that level. I recently tested this after an issue was raised against the diagnostics plug-in

from gargoyle.

Gargoyle is a single user system. You must have already broken the root password to be able to run any page that does this.
If you've got root, you've got an easier attack route than this.

I get it, but I think the attack vector is kind of moot here.
Do you agree? I'm happy to hear you out.

from gargoyle.

1. Thanks You for fast reply.
2. Sometimes run_commands and/or get_password_cookie are running before login succeeds.
3. it seems safe as long as gargoyle_session_validator does not "print" the user-input, otherwise it gets executed, 'echo' do prints.
4. haserl even can translate from url encoded values giving more "obfuscation" to user-payload.

from gargoyle.

Further, haserl filters these variables into the environment. So if there's a vulnerability it likely exists at that level. I recently tested this after an issue was raised against the diagnostics plug-in

did You tried to inject both url encoded (full encoding and not full) data?

from gargoyle.

I'll run some further validations.
If you have a proof of concept vulnerability that you believe works, feel free to send it to me privately via the forum or you can email me. That way any potential vulnerability is disclosed privately and can be fixed before details are released.

from gargoyle.

I'll run some further validations. If you have a proof of concept vulnerability that you believe works, feel free to send it to me privately via the forum or you can email me. That way any potential vulnerability is disclosed privately and can be fixed before details are released.

Thank You,

from gargoyle.

Gargoyle router is no longer in my possession. But this part of code catch my eyes

from gargoyle.

I was not able to produce any RCE type issues with this code.
IF a line existed like eval $(echo "$HTTP_USER_AGENT") then yes it is very easy to trigger lots of unwanted behaviour.
However passing it into the gargoyle_session_validator appears to do no harm, and I was not able to come up with any syntax that would escape out of this subshell and execute anything meaningful.

From my point of view, this issue should now be closed, and if in the future yourself (or anyone else) is able to produce some kind of vulnerability of this nature, please do let me know! Thanks for raising the issue!

from gargoyle.

@weakbytes please close this issue

from gargoyle.

Closed

from gargoyle.