IBM Support

IJ17930: COMMAND INJECTION REPORTED FOR LOGIN PASSWORD FIELD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct link to fix

PowerHA-7.2.3 SP2

 

APAR status

  • Closed as program error.

Error description

  • Threat:
Operating system command injection vulnerabilities arise when an
application
incorporates user-controllable data into a command that is
processed by a shell
command interpreter. If the user data is not strictly validated,
an attacker can use
shell meta-characters to modify the command that is executed,
and inject arbitrary
further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious
and may lead to
compromise the server hosting application, or of the
application's own data and
functionality. It may also be possible to use the server as a
platform for attacks
against other systems. The exact potential for exploitation
depends upon the security
context in which the command is executed, and the privileges
that this context has
regarding sensitive resources on the server.
This attack is possible any unauthenticated user. Therefore the
probability of this
Details:
1) The password fields in the login page was found to be
vulnerable to OS
Command injection attack.
We can normally use the ?ping? command as a means of triggering
a time delay by
causing the server to ping its loopback interface for a specific
period. There are minor
differences between how Windows and UNIX-based platforms handle
command separators and the ping command. However, the following
all purpose test string should induce a 10-second time delay on
either platform if no filtering is in place.
attack is rated as high.
2) The next step is to determine whether you can create the file
 in server. Try injecting a more interesting command, such as
|cat > malicious.sh
Recommendation:
If possible, applications should avoid incorporating
user-controllable data into operating system commands. In almost
every situation, there are safer alternative methods of
performing server-level tasks, which cannot be manipulated to
perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied
data into operating system commands, the following two layers of
defense should be used to prevent attacks:
? The user data should be strictly validated. Ideally, a
whitelist of specific accepted values should be used. Otherwise,
only short alphanumeric strings should be accepted. Input
containing any other data, including any conceivable shell
meta-character or whitespace, should be rejected.
? The application should use command APIs that launch a specific
process via its name and command-line parameters, rather than
passing a command string to a shell interpreter that supports
command chaining and redirection. For example, the Java API
Runtime.Exec and the ASP.NET API Process. Start do not support
shell meta-characters. This defense can mitigate the impact of
an attack even in the event that an attacker circumvents the
input validation defenses

Local fix

  • NA

Problem summary

  •  Command injection reported for login password f
ield

Problem conclusion

  •  Escape special characters in password with b
ackward slash

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ17930
    • 

  • Reported component name
    POWERHA SYSMIR
    • 

  • Reported component ID
    5765H3900
    • 

  • Reported release
    723
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Submitted date
    2019-07-30
    • 

  • Closed date
    2019-12-17
    • 

  • Last modified date
    2019-12-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    POWERHA SYSMIR
    • 

  • Fixed component ID
    5765H3900
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSLM9V","label":"PowerHA SystemMirror Standard Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"723","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSXU4N","label":"PowerHA SystemMirror Enterprise Edition for AIX"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"723","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSLM9V","label":"PowerHA SystemMirror Standard Edition for AIX"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"723","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SGL4G4","label":"PowerHA"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"723","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            19 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback