Input sanitization bypassed
When the Rapid7 researchers looked at the patches, they noticed some sanitization being added to a value called $gskey which was being passed to a script called $ingrediRoot/app/dbquote via the echo command.
“The change in how the $gskey value is passed to the echo command is a classic argument injection issue,” the researchers wrote. “In a shell script, when passing an unquoted variable to a command, the shell will pass the contents of the value to the command as individual arguments to the command, as parsed by the shell. If the value is wrapped in double quotes, the shell will pass the entire value as a single argument to the command.”
But the BeyondTrust advisory said that exploiting this vulnerability “can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.” And the argument injection on its own is not achieving that, so the researchers had to keep digging.
