Command Injection with cURL possible for Web Service REST Jobs

Document ID : KB000087993
Last Modified Date : 14/04/2018
Show Technical Document Details
Issue:
Error Message :
N/A

With the use of cURL in Web Service REST, Command Injection is possible.

Example:
  1. Check  "Execute cURL command"
  2. In the command box enter:
 
-v -k -L localhost 'exec whoami'

Expected Result:  The command will be executed on the machine running the agent, with the agent user.
Environment:
OS Version: N/A
Cause:
Cause type:
By design
Root Cause: In version 3 cannot deactive CURL parsing in the Webservice agent.
Resolution:
A check box has been implemented in version 4 to allow cURL commands to be activated or deactived.

Reference

RA Web Service REST Agent Guide 4.0:
Working with the Web Service Agent > Creating REST Jobs > Defining Requests for REST Jobs 

 

Fix Status: No Fix

Fix Version(s):
N/A
Additional Information:
Workaround :
Do not use cURL with RA Web Service version 3.