| Ticket Hash: | 56b82836ffba995245dabd8feecf4cba975a4a13 | ||
| Title: | RCE by exploting unchecked content of the ticket-table setting | ||
| Status: | Fixed | Type: | Code_Defect |
| Severity: | Critical | Priority: | Immediate |
| Subsystem: | Resolution: | Fixed | |
| Last Modified: |
2020-08-19 00:19:31 5.62 years ago |
Created: |
2020-08-17 08:36:19 5.63 years ago |
| Version Found In: | |||
| User Comments: | ||||
|
drh added on 2020-08-17 08:36:19:
On a clone (or on a "fossil config pull ticket") the SQL text in the ticket-table setting is run on the client, without restriction. A malicious server admin could put SQL in that setting that changes the value of other settings such as "ssh-command" and/or "last-sync-url" which could then cause arbitrary code to run the next time the victim did a "fossil pull". Problem discovered by Max Justicz. drh added on 2020-08-19 00:19:31: Add an authorizer to the ticket-table script processing. | ||||