[17413] in bugtraq
Re: Remote command execution via KW Whois 1.0 (addition)
daemon@ATHENA.MIT.EDU (Mark Stratman)
Mon Oct 30 02:25:41 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.10010290505380.13352-100000@icarus.cc.uic.edu>
Date: Sun, 29 Oct 2000 05:09:36 -0600
Reply-To: Mark Stratman <mstrat1@UIC.EDU>
From: Mark Stratman <mstrat1@UIC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.10010290420400.5897-100000@icarus.cc.uic.edu>
Sorry to have to post again, this is just an addition for the sake of
completeness.
KW Whois url: http://www.kootenayweb.bc.ca/scripts/whois.html
Fix:
Parse out unsafe characters in $query->param with standard cgi checking
(see http://www.n3t.net/programming/)
On Sun, 29 Oct 2000, Mark Stratman wrote:
> Greetings,
>
> There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
> malicious users to execute commands as the uid/gid of the webserver.
> The hole lies in unchecked user input via an input form box.
> The form element <input type=text name="whois"> is not checked by the
> script for unsafe characters.
> Unsafe code:
> $site = $query->param('whois');
> ....
> $app = `whois $site`;
> print "$app .......
>
> Proof of concept:
> Type ";id" (without the quotes) into the input box.
>
> cheers.
> Mark Stratman (count0)
> (mstrat1@uic.edu)
> http://sporkstorms.org
>
>
