[17405] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Remote command execution via KW Whois 1.0

daemon@ATHENA.MIT.EDU (Mark Stratman)
Mon Oct 30 01:25:45 2000

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.GSO.4.10.10010290420400.5897-100000@icarus.cc.uic.edu>
Date:         Sun, 29 Oct 2000 04:30:49 -0600
Reply-To: Mark Stratman <mstrat1@UIC.EDU>
From: Mark Stratman <mstrat1@UIC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM

Greetings,

There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
malicious users to execute commands as the uid/gid of the webserver.
The hole lies in unchecked user input via an input form box.
The form element <input type=text name="whois"> is not checked by the
script for unsafe characters.
Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......

Proof of concept:
	Type ";id" (without the quotes) into the input box.

cheers.
Mark Stratman (count0)
(mstrat1@uic.edu)
http://sporkstorms.org


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17405] in bugtraq

Remote command execution via KW Whois 1.0

daemon@ATHENA.MIT.EDU (Mark Stratman)Mon Oct 30 01:25:45 2000

daemon@ATHENA.MIT.EDU (Mark Stratman)
Mon Oct 30 01:25:45 2000