OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Remote command execution via KW Whois 1.0 (addition)
From: Mark Stratman (mstrat1UIC.EDU)
Date: Sun Oct 29 2000 - 05:09:36 CST


Sorry to have to post again, this is just an addition for the sake of
completeness.

KW Whois url: http://www.kootenayweb.bc.ca/scripts/whois.html

Fix:
Parse out unsafe characters in $query->param with standard cgi checking
(see http://www.n3t.net/programming/)
        
On Sun, 29 Oct 2000, Mark Stratman wrote:

> Greetings,
>
> There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
> malicious users to execute commands as the uid/gid of the webserver.
> The hole lies in unchecked user input via an input form box.
> The form element <input type=text name="whois"> is not checked by the
> script for unsafe characters.
> Unsafe code:
> $site = $query->param('whois');
> ....
> $app = `whois $site`;
> print "$app .......
>
> Proof of concept:
> Type ";id" (without the quotes) into the input box.
>
> cheers.
> Mark Stratman (count0)
> (mstrat1uic.edu)
> http://sporkstorms.org
>
>