Security issue in centos_rhel_install.sh​

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security issue in centos_rhel_install.sh​

Alex H.
Hi,

I just subscribed to tell you this issue I stumbled upon.

In centos_rhel_install.sh​ [1] there is this line for generating the des
key and then putting it in the config. The way it is made, the key might
contain characters which break the sed expression putting the key in the
config file, so that the configured key is broken:

The line generating the key:

deskey=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9-_#&!*%?' | fold -w 24 |
head -n 1)

Taking a look on this example key:

2S0?w1*6GXrxFSah!%&xjnaq

It can contain a '&', which will break the sed expression:

sed -i "s|^\(\$config\['des_key'\] =\).*$|\1 \'${deskey}\';|"
/var/www/html/roundcube/config/config.inc.php

so that the example key will bring this result in the config:

$config['des_key'] = '2S0?w1*6GXrxFSah!%$config['des_key'] =
'rcmail-!24ByteDESkey*Str';xjnaq';

instead of:

$config['des_key'] = '2S0?w1*6GXrxFSah!%&xjnaq';

Some info about my environment:

# cat /etc/centos-release
CentOS release 6.8 (Final)

# sed --version
GNU sed version 4.2.1

Best regards,
Alex H.

[1]
https://gist.github.com/rcubetrac/cc85589b837d58680a86e7b5cbb09a4f#file-centos_rhel_install-sh
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev