Description
Hi,
For some research I'm doing, I'm looking to get smqueue to call my script with each text I send from the test network. I skimmed through the source code and found the SMS.HTTPGateway.URL option and created an HTTP server to receive the requests.
I got it working, but I noticed that the incoming text message is not properly escaped, leading to a command injection vulnerability. With this configuration option enabled, and set to http://localhost:1337/%s/%s, I was able to reboot my machine running OpenBTS by sending a text message to a number that doesn't even exist.
I'm not reporting this as a security bug because it's an undocumented feature, and I know I wouldn't be amused if someone reported a security bug to me in a feature I didn't even document :) However, if someone deployed this configuration, it would lead to remote code execution (as the user running smqueue, which is usually root I think), so it should probably be fixed.
If you have trouble replicating this or have any questions, feel free to contact me.
Best,
Zack