[H-20] checkSslStatus / updateNginxSslConfig interpolate $domain without re-validation

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/AdminBrandingController.php:191, 394

Bug: Path/config interpolation after config read; a poisoned config value enables path traversal / config injection.

Fix: Re-validate FQDN at top of each method before building paths or config strings.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:40pm

Resolved.

Both entry points now re-run the FQDN regex on the incoming $domain before interpolating it into a path or a config string (src/Controllers/AdminBrandingController.php):

  • checkSslStatus: rejects if the value fails the regex, avoiding the /etc/letsencrypt/live/<domain>/fullchain.pem path-traversal primitive.
  • updateNginxSslConfig: private helper now guards itself — even if a future public caller forgets to validate, a bad domain can't reach the file write.

A poisoned general.site_domain config value (the original vector for the finding) can no longer turn into an arbitrary-file-read or an nginx config injection.

Locking this thread.

Related Discussions

[M-28] UserCredit::history interpolates LIMIT/OFFSET as strings
Security Issues · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy