Sysinfo Multiple Input Validation Vulnerabilities

Bugtraq ID:	17523
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 14 2006 12:00AM
Updated:	Apr 17 2006 08:41PM
Credit:	rgod is credited with the discovery of this vulnerability.
Vulnerable:	Sysinfo Sysinfo 1.21
Not Vulnerable:	Sysinfo Sysinfo 2.25

Sysinfo Multiple Input Validation Vulnerabilities


Sysinfo is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to execute arbitrary shell commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible. Remote attackers may also obtain the installation path.

Sysinfo 1.21 is reported vulnerable. Other versions may be affected as well.

Sysinfo Multiple Input Validation Vulnerabilities

This issue can be exploited through a web client.

The following proof-of-concept exploit is available:

• /data/vulnerabilities/exploits/sysinfo_poc

Sysinfo Multiple Input Validation Vulnerabilities

Solution:

The vendor has released version 2.25 to address the command-execution issue.


Sysinfo Sysinfo 1.21

• Sysinfo Sysinfo 2.25
  http://www.coder-world.de/files/sysinfo.zip

Sysinfo Multiple Input Validation Vulnerabilities

References:

• Sysinfo (Sysinfo)