OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote command execution via KW Whois 1.0
From: Mark Stratman (mstrat1UIC.EDU)
Date: Sun Oct 29 2000 - 04:30:49 CST


Greetings,

There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
malicious users to execute commands as the uid/gid of the webserver.
The hole lies in unchecked user input via an input form box.
The form element <input type=text name="whois"> is not checked by the
script for unsafe characters.
Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......

Proof of concept:
        Type ";id" (without the quotes) into the input box.

cheers.
Mark Stratman (count0)
(mstrat1uic.edu)
http://sporkstorms.org