The Includer Remote Command Execution Vulnerability

Bugtraq ID:	12738
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 07 2005 12:00AM
Updated:	Mar 07 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Francisco Alisson <[email protected]>.
Vulnerable:	Jimmy The Includer 1.1 Jimmy The Includer 1.0
Not Vulnerable:

The Includer Remote Command Execution Vulnerability

The Includer is reported prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data.

A remote attacker may exploit this vulnerability to execute arbitrary command in the context of the Web server that is hosting the affected software.

The Includer Remote Command Execution Vulnerability

The following examples are available:
http://www.example.com/includer.cgi?|id|
http://www.example.com/includer.cgi?template=|id|

An exploit (includer.py) was also made available.

• /data/vulnerabilities/exploits/includer.py

The Includer Remote Command Execution Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

The Includer Remote Command Execution Vulnerability

References:

• The Includer Homepage (Jimmy )
  
• [badroot.org] The Includer remote commands execution exploit (Federico Ozak )
  
• Remote Command Execution (Francisco Alisson )