[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg remote commands execution vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg remote commands execution vulnerability
From: blahplok@xxxxxxxxx
Date: 7 Jul 2005 14:02:21 -0000

PNG&#402;J&#402;E&#402;&#8220;&#402;^+&#8212;p&#402;?&#402;O&#8240;ð?Í&#402;X&#402;N&#402;&#352;&#402;v&#402;g
 remote commands execution vulnerability

Vendor URL    :  http://www.aurora.dti.ne.jp/~zom/Counter/
Vulnerability :  Remote Command Execution
Risk          :  High


==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to Kaiseki.cgi script.

Problem:

There is no filtering special character when open file in sub ReadLog.
Vulnerable code :

sub ReadLog
{
.......
.......

        $imaLog = $$log;
        if(!open(IN, "./$main::logdir/$imaLog"))
        {
.......
.......
}

Fix :

add :
$$log =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;

before :
$imaLog = $$log;
if(!open(IN, "./$main::logdir/$imaLog"))
{
.....
}

Example exploitasion :

http://[target]/cgi-bin/kaiseki.cgi?file.exetension|command|
or
http://[target]/cgi-bin/kaiseki.cgi?|command|


June 2005   : bug found
July 7 2005 : vendor contact
July 7 2005 : Vendor respon
July 2005   : ----------

==================================================================

by blahplok

Prev by Date: RE: Microsoft Word Protection Bypass
Next by Date: SimplePHPBlog 0.4.0 <= Remote Password Disclosure
Previous by thread: Vulnerability in Whatpulse.Org profiles allows XSS and session hijacking
Next by thread: SimplePHPBlog 0.4.0 <= Remote Password Disclosure
Index(es):
- Date
- Thread

PNG&#402;J&#402;E&#402;&#8220;&#402;^+&#8212;p&#402;&#402;O&#8240;&#402;X&#402;N&#402;&#352;&#402;v&#402;g remote commands execution vulnerability

PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg remote commands execution vulnerability