Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Possible CommandInjection in: \source\ij\plugin\BrowserLauncher.java
See original GitHub issueHello imageJ staff/community,
I would like to report some security issue that will affect to ImageJ software running on OSX systems.
I think that in this piece of code we could inject commands:
BrowserLauncher.java ==> openURL(String url)
public static void openURL(String url) throws IOException {
String errorMessage = "";
if (IJ.isMacOSX()) {
if (IJ.isJava16())
IJ.runMacro("exec('open', '"+url+"')");
else {
...
I think it will be possible to inject code inside runMacro() in the following way:
BrowserLauncher b = new BrowserLauncher();
String imageFilePath = "http://127.0.0.1/test.jpg');exec('open -a /Applications/Calculator.app');exec('\"";
b.openURL(imageFilePath);
Sorry if it is a known issue, or there are technical errors,
Alvaro Folgado
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Command Injection in Java: Examples and Prevention
Let's see what command injection java is, how it works and, finally, understand how we can prevent command injection vulnerabilities.
Read more >Command Injection - OWASP Foundation
Description. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable...
Read more >OS Command Injection in Java - SecureFlag Knowledge Base
This solution can quickly become unmanageable if you have many available directories. A more scalable solution is to read all the permitted directories...
Read more >What is OS command injection, and how to prevent it?
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS)...
Read more >CWE 78: OS Command Injection | Java - Veracode
CWE 78: OS Command Injection flaws occur if your application executes a native command when the name of, path of, or arguments to...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Done. Thanks for the fast response!
For reference, the PR is imagej/imagej1#35. Thanks, @AlvFolgado.