Shell injection attack on ScanDirectories #3
Description
The code in question is https://github.com/dataflow/DataStage/blob/master/src/AdminUI/MiscLib/ScanDirectories.py. IsDirectoryWritable() contains a call to os.system() using input containing dirPath. Following things up a potential call stack, dirPath can be the name of a directory on the file system. As users are able to create directories with whatever names they like, a malicious user could invoke any command as www-data by visiting </tool/SubmitDatasetHandler/cgi-bin/DirectoryListingHandler.py>. This would then traverse the user's home, and in so doing, execute the malicious command.
This one requires an authenticated user, as the above CGI script is behind basic auth.