samba: Fix shell command execution vulnerability in join operation

From the reporter:

   File: html/cgi-bin/samba.cgi, lines 96-98 and 790-798.
   joindomain() builds @options = ("/usr/local/bin/sambactrl","join",
   $username, $password) and runs qx(@options). In Perl, qx(@array)
   joins with $" and passes the result to /bin/sh -c. POST parameters
   USERNAME and PASSWORD reach this with no validation on the 'join'
   code path. RCE as the web user (nobody).

Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/samba.cgi b/html/cgi-bin/samba.cgi
index 5a23bf044ef48047ec59250672a4622d93d10b92..f3b092da85f3a01c1b2d111c6021a4e566094ece 100644 (file)
--- a/html/cgi-bin/samba.cgi
+++ b/html/cgi-bin/samba.cgi
@@ -791,8 +791,10 @@ sub joindomain {
        my $username = shift;
        my $password = shift;
 
-       my @options = ("/usr/local/bin/sambactrl", "join", $username, $password);
-       my $output = qx(@options);
+       my @output = &General::system_output(
+               "/usr/local/bin/sambactrl", "join", $username, $password,
+       );
 
-       return $output;
+       # Join together the output
+       return join("\n", @output);
 }