Open security reports in luci, packages and routing

Hauke Mehrtens hauke at hauke-m.de
Sun Jun 28 09:12:41 PDT 2026


On 6/28/26 13:54, Jo-Philipp Wich wrote:
> Hi,
> 
> many of the LuCI reported issues are systemic and not easily fixable, if 
> at all.
> 
> They roughly fall into four categories:
> 
> 1) simple shell injection; many packages ship ad-hoc rpcd ubus plugins 
> which
>     provide methods that end up calling various commands to scrape info 
> from,
>     passing user input as shell arguments without proper escaping - 
> commonly
>     in the form 'fs.popen(`/usr/bin/somecomannd ${some_ubus_arg}`)' 
> which is
>     a textbook injection; I'll fix these case by case and work on an 
> improved
>     popen() implementation in ucode which takes an array command vector to
>     make it easier to write safe code, e.g.
>     `fs.popen(['/usr/bin/somecommand', some_ubus_arg])`
> 
> 2) stored XSS; external sources or saved uci values providing some kind of
>     freetext description field (e.g. DHCP hostnames, UPnP lease 
> descriptions)
>     which are then output as-is without additional HTML escaping, 
> leading to
>     XSS. I'll fix these case by case.
> 
> 3) stored command privilege escalation; many packages support specifying
>     arbitrary command hooks in their uci configuration. Even if a 
> restricted
>     user context is set up which is only allowed to read and write the uci
>     configuration of a particular package (e.g. ddns-scripts), the 
> restricted
>     user can set an arbitrary command (e.g. ddns-scripts `ip_script` 
> option)
>     which ends up being executed as root by the packages init script or 
> some
>     event handler. These class of bugs cannot be reasonably fixed in 
> LuCI and
>     require a general rearchitecturing of the backend package, e.g. by 
> dropping
>     support for command hooks, using restricted user contexts, some sort of
>     jailing, pre-approved whitelists etc.
> 
> 4) newline injections; many init script implementations translate uci to
>     native configuration without actually validating the values, 
> allowing users
>     to plant uci values which end up being written as additional 
> options, e.g.
>     `option 'foo' 'value\nbar value2'` would be written as
>        foo = value
>        bar = value2
>     into the ephemeral native configuration, allowing a uci write 
> privileged
>     user to inject arbitrary native settings, even those deliberately 
> left out
>     from uci for e.g. security reasons. If a process happens to support 
> options
>     taking shell commands to excecute or files to read from/write to, 
> chances
>     are high that those end up getting executed as root on the next service
>     restart.
> 
> 
> While class 1 and 2 issues are simple web develpoment things we have to 
> take care of, class 3 and 4 ones are systemic problems which require a 
> concerted effort in the entire OpenWrt and packages ecosystem to solve. 
> Fixing those entails migrating packages to non-root users, jailing, 
> restructuring configuration, auditing uci translations, introducing safe 
> by default behavior (e.g. let config_get fail for values with newlines/ 
> other problematic chars and introduce a config_get_unsafe or similar for 
> those rare cases where such values are allowed.
> 
> 
> Regards,
> Jo

Hi Jo,

Thank you for looking into the reports.

I saw that you fixed some problems on the master branch, could you 
please cherry pick them to the 25.12 branch too, I would like to tag the 
next release soon and would like to include as many fixes as we have.

Hauke



More information about the openwrt-devel mailing list