Command Injection with cURL possible for Web Service REST Jobs

book

Article ID: 87993

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Error Message :
N/A

With the use of cURL in Web Service REST, Command Injection is possible.

Example:
  1. Check  "Execute cURL command"
  2. In the command box enter:
 
-v -k -L localhost 'exec whoami'

Expected Result:  The command will be executed on the machine running the agent, with the agent user.

Cause

Cause type:
By design
Root Cause: In version 3 cannot deactive CURL parsing in the Webservice agent.

Environment

OS Version: N/A

Resolution

A check box has been implemented in version 4 to allow cURL commands to be activated or deactived.

Reference

RA Web Service REST Agent Guide 4.0:
Working with the Web Service Agent > Creating REST Jobs > Defining Requests for REST Jobs 

 

Fix Status: No Fix

Fix Version(s):
N/A

Additional Information

Workaround :
Do not use cURL with RA Web Service version 3.