Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

util function vulnerability

Last revised: 2021-11-01

Summary

We have had a vulnerability reported in our utility controller used by Open-AudIT. The issue has been fixed and will be available in the next release of Open-AudIT. The vulnerability is caused by un-validated user input to a publicly available function. The patch removes this vulnerability by only allowing this function to be called from localhost as well as validating the user input.

Severity: Severe

This issue is remotely exploitable by unauthenticated users. All users are advised to patch immediately.

Products Affected

Open-AudIT Community versions 3.5.0 and later.

Available Updates

A patch for the issue described in this bulletin will be available in the next released Open-AudIT v4.3.0.

Workarounds and Mitigations

Download the attached file and place in:

Linux

...

-

...

/usr/local/open-audit/code_igniter/application/controllers\util.php

Windows

...

-

...

c:\xampp\open-audit\code_igniter\application\controllers\util.php

The file is also available on Github at https://raw.githubusercontent.com/Opmantek/open-audit/master/code_igniter/application/controllers/util.php


You can view the associated commits also on Github at:

https://github.com/Opmantek/open-audit/commit/21547c1cd47d5e7f362d08febe1dfccf649fe5b1#diff-0d4f2e9612b02690fdeac430d36d1a8c334d6fb1e1d17c223cbfe5321b2bd04e

https://github.com/Opmantek/open-audit/commit/1ce039306d85598880ff25fbeb20195ef3b7a993#diff-0d4f2e9612b02690fdeac430d36d1a8c334d6fb1e1d17c223cbfe5321b2bd04e



View file
nameutil.php
height150