From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 20 May 2026 15:04:25 +0000 (+0100)
Subject: samba: Fix shell command execution vulnerability in join operation
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35d45aad9c59e87fe60d2c66cb18dcd015960d71;p=ipfire-2.x.git

samba: Fix shell command execution vulnerability in join operation

From the reporter:

   File: html/cgi-bin/samba.cgi, lines 96-98 and 790-798.
   joindomain() builds @options = ("/usr/local/bin/sambactrl","join",
   $username, $password) and runs qx(@options). In Perl, qx(@array)
   joins with $" and passes the result to /bin/sh -c. POST parameters
   USERNAME and PASSWORD reach this with no validation on the 'join'
   code path. RCE as the web user (nobody).

Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/samba.cgi b/html/cgi-bin/samba.cgi
index 5a23bf044..f3b092da8 100644
--- a/html/cgi-bin/samba.cgi
+++ b/html/cgi-bin/samba.cgi
@@ -791,8 +791,10 @@ sub joindomain {
 	my $username = shift;
 	my $password = shift;
 
-	my @options = ("/usr/local/bin/sambactrl", "join", $username, $password);
-	my $output = qx(@options);
+	my @output = &General::system_output(
+		"/usr/local/bin/sambactrl", "join", $username, $password,
+	);
 
-	return $output;
+	# Join together the output
+	return join("\n", @output);
 }