Secure testing team - Aug 2011 - Bug#637477: possibly allows shell injection

Package: src:dtc
Version: 0.29.17-1
Severity: critical
Tags: security

Hi,

shared/inc/sql/lists.php includes code like

  if ($_REQUEST[$tunable_name]!=""){
          //i write in the file
          $write_line = "echo ".$_REQUEST[$tunable_name]." >
".$option_file;
          exec($write_line);
  }else{ //i remove the file

and does not seem to check the contents of $_REQUEST for sanity as far as I can
see.

(I did not try actually using it as I do not have dtc setup.)

Regards,
Ansgar