This article applies to BoKS Manager 6.5, 6.6, 6.7 and 7.0.0.

Description

SUEXEC access routes with the suexec_touserenv modifier can allow arbitrary command execution.

Resolution / Workaround

Apply hotfix HFBM-0165 (BOKS 7.0), HFBM-0164 (BOKS 6.6, BOKS 6.7), TFS161110-012881 (BOKS 6.5), available for download from the HelpSystems Community Portal, on the Master and all Server Agents and Replicas.

When the suexec_touserenv modifier is set, suexec will now quote the parameters and make the call through a new, intermediate, program which prevents the shell from interpreting special characters.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018