|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Remote command execution via KW Whois 1.0
From: Mark Stratman (mstrat1
UIC.EDU)Date: Sun Oct 29 2000 - 04:30:49 CST
- Next message: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Previous message: proton: "tcsh: unsafe tempfile in << redirects"
- Next in thread: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Reply: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings,
There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
malicious users to execute commands as the uid/gid of the webserver.
The hole lies in unchecked user input via an input form box.
The form element <input type=text name="whois"> is not checked by the
script for unsafe characters.
Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......
Proof of concept:
Type ";id" (without the quotes) into the input box.
cheers.
Mark Stratman (count0)
(mstrat1uic.edu)
http://sporkstorms.org
- Next message: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Previous message: proton: "tcsh: unsafe tempfile in << redirects"
- Next in thread: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Reply: Mark Stratman: "Re: Remote command execution via KW Whois 1.0 (addition)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]