Child pages
  • Errata - 1.8.2 Patch for escape characters in SSH password in Discovery
Skip to end of metadata
Go to start of metadata

Introduction

We had a Questions report that when using Discovery on a Windows Open-AudIT server and attempting to audit a linux server with a password that contained a percent % character, it wasn't working. The below files will address this issue and be included in 1.8.4.

Summary of Issue

We use a PHP framework called Code Igniter. The framework was "helpfully" escaping the form input and hence removing the % symbol even though we had (we thought) disabled this escaping. We have now overridden the default class that performs this function and included an optional value that when set and passed to the function does not escape the returned value. This is implemented in the open-audit/code_igniter/application/core/MY_Input.php file so we won't lose this functionality if and when we upgrade the Code Igniter framework. Other calls to the function will continue to work as normal because we have made the option passed to the function optional and set it's default to what it normally is in the framework.

We now use this function in the Discovery code and hence everything works as intended.

As an aside we also found we needed to escape the output in a particular way on Windows. Using the PHP function 'escapeshellarg' simply removes quotes and the percent sign from the returned value - not particularly helpful.

The files are below. If this issue affects you, you should place them into the following places.

MY_Input.php

discovery.php

  • No labels