Command Injection with cURL possible for Web Service REST Jobs
Document ID :
Last Modified Date :
Show Technical Document Details
CA Automic Workload Automation
CA Automic Workload Automation:Release:3.0
RA WEB SERVICE:ARAWEB
Error Message :
With the use of cURL in Web Service REST, Command Injection is possible.
Check "Execute cURL command"
In the command box enter:
-v -k -L localhost 'exec whoami'
The command will be executed on the machine running the agent, with the agent user.
OS Version: N/A
Root Cause: In version 3 cannot deactive CURL parsing in the Webservice agent.
A check box has been implemented in version 4 to allow cURL commands to be activated or deactived.
RA Web Service REST Agent Guide 4.0:
Working with the Web Service Agent > Creating REST Jobs > Defining Requests for REST Jobs
Fix Status: No Fix
Do not use cURL with RA Web Service version 3.
Was this information helpful?