lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 13 Jul 2005 14:03:22 -0000
From: blahplok@...oo.com
To: bugtraq@...urityfocus.com
Subject: WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands
 execution vulnerability


WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability

Vendor URL    :  http://www.pcdoc24.de (vendor website seem down)
Vulnerability :  Remote Command Execution
Risk          :  High


==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to wps_shop.cgi script.

Problem:

There is no filtering special character when open file in sub showartikel.
Vulnerable code :

###########
sub showartikel {
###########
	cartfooter();
	open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); 
	lock(DATA); 
.......................................
.......................................

}

Fix :

add :
$info{'art'} =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;

before :
open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); 
}



Juni 2005   : bug found
Vendor website seem down and this hole not comfirmed to vendor
July 2005   : -----------

==================================================================

SELAMAT ULANG TAHUN BUAT 'PRABA ALKAUSAR HG'
SEMOGA BISA MENJADI MENUSIA BERGUNA... AMIENNN...

bug found and reported by blahplok@...oo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ