Command Injection with cURL possible for Web Service REST Jobs
Article ID: 87993
Updated On:
Products
CA Automic Workload Automation - Automation Engine
Issue/Introduction
Error Message :
N/A
With the use of cURL in Web Service REST, Command Injection is possible.
Example:
Expected Result: The command will be executed on the machine running the agent, with the agent user.
N/A
With the use of cURL in Web Service REST, Command Injection is possible.
Example:
- Check "Execute cURL command"
- In the command box enter:
-v -k -L localhost 'exec whoami'
Expected Result: The command will be executed on the machine running the agent, with the agent user.
Environment
OS Version: N/A
Cause
Cause type:
By design
Root Cause: In version 3 cannot deactive CURL parsing in the Webservice agent.
By design
Root Cause: In version 3 cannot deactive CURL parsing in the Webservice agent.
Resolution
A check box has been implemented in version 4 to allow cURL commands to be activated or deactived.
Reference
RA Web Service REST Agent Guide 4.0:
Working with the Web Service Agent > Creating REST Jobs > Defining Requests for REST Jobs
Fix Status: No Fix
Fix Version(s):
N/A
Reference
RA Web Service REST Agent Guide 4.0:
Working with the Web Service Agent > Creating REST Jobs > Defining Requests for REST Jobs
Fix Status: No Fix
Fix Version(s):
N/A
Additional Information
Workaround :
Do not use cURL with RA Web Service version 3.
Do not use cURL with RA Web Service version 3.
Feedback
Yes
No
Powered by
