[39613] in bugtraq
WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands
daemon@ATHENA.MIT.EDU (blahplok@yahoo.com)
Wed Jul 13 17:09:48 2005
Date: 13 Jul 2005 14:03:22 -0000
Message-ID: <20050713140322.5802.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: blahplok@yahoo.com
To: bugtraq@securityfocus.com
WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability
Vendor URL : http://www.pcdoc24.de (vendor website seem down)
Vulnerability : Remote Command Execution
Risk : High
==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to wps_shop.cgi script.
Problem:
There is no filtering special character when open file in sub showartikel.
Vulnerable code :
###########
sub showartikel {
###########
cartfooter();
open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}");
lock(DATA);
.......................................
.......................................
}
Fix :
add :
$info{'art'} =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;
before :
open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}");
}
Juni 2005 : bug found
Vendor website seem down and this hole not comfirmed to vendor
July 2005 : -----------
==================================================================
SELAMAT ULANG TAHUN BUAT 'PRABA ALKAUSAR HG'
SEMOGA BISA MENJADI MENUSIA BERGUNA... AMIENNN...
bug found and reported by blahplok@yahoo.com
