Secure cli.php to be available from CLI only #39
Comments
aharjula
added a commit
to maths/moodle-qtype_stack
that referenced
this issue
Nov 8, 2019
Serious actors may wish to do a hot-fix but no known attacks observed yet. hafriedlander/php-peg#39
Rillke
added a commit
to uni-halle/maximapool-docker
that referenced
this issue
Nov 13, 2019
4.2.2a for Moodle 3.0+ Note that the hafriedlander/php-peg#39 security issue doesn't appear to affect this Java Server as no PHP is interpreted.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
php-peg library is included by other projects, for example: https://github.com/maths/moodle-qtype_stack/tree/master/thirdparty/php-peg
In this example, the other library is deployed on available on a web server. This leads to opportunity to run any PHP script contained there using web URL - including https://github.com/maths/moodle-qtype_stack/blob/master/thirdparty/php-peg/cli.php .
If register_argc_argv is set in php.ini, then $_SERVER['argv'] is populated with $_GET so the data could be passed into
Compiler::cli( $_SERVER['argv'] ) ;.I don't think that in the current form cli.php can be exploited in any way but it may be a good idea to protect this script and make sure it only runs as CLI. This could be done with:
The text was updated successfully, but these errors were encountered: