| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 7 Jul 2005 14:02:21 -0000
From: blahplok@...oo.com
To: bugtraq@...urityfocus.com
Subject: PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg
remote commands execution vulnerability
PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg remote commands execution vulnerability
Vendor URL : http://www.aurora.dti.ne.jp/~zom/Counter/
Vulnerability : Remote Command Execution
Risk : High
==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to Kaiseki.cgi script.
Problem:
There is no filtering special character when open file in sub ReadLog.
Vulnerable code :
sub ReadLog
{
.......
.......
$imaLog = $$log;
if(!open(IN, "./$main::logdir/$imaLog"))
{
.......
.......
}
Fix :
add :
$$log =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;
before :
$imaLog = $$log;
if(!open(IN, "./$main::logdir/$imaLog"))
{
.....
}
Example exploitasion :
http://[target]/cgi-bin/kaiseki.cgi?file.exetension|command|
or
http://[target]/cgi-bin/kaiseki.cgi?|command|
June 2005 : bug found
July 7 2005 : vendor contact
July 7 2005 : Vendor respon
July 2005 : ----------
==================================================================
by blahplok
Powered by blists - more mailing lists