Zdenda
Aug 19, 2019Cirrus
TCL code injection - eval in proxy-pass rule
Hi there,
I've been searching through proxypass rule wheter it's vulnerable to TCL code injection and I am unsure about this one:
..
set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@ @$path_serverside@$path_clientside@\""
} else {
set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@\""
.
.
eval $stream_expression_cmd
..
It's only eval which works with user input ([HTTP::uri], [HTTP::host] through variables $host_clientside and $path_clientside.
My question is, do you think eval would process some script/commands provided via [HTTP::uri] if it's going through STREAM::expression?
Without STREAM probably yes, but with STREAM, I am not sure.
Thanks,
Zdenek