gbook.cgi Remote Command Execution Vulnerability
BID:1940
Info
gbook.cgi Remote Command Execution Vulnerability
| Bugtraq ID: | 1940 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 10 2000 12:00AM |
| Updated: | Nov 10 2000 12:00AM |
| Credit: | Reported to bugtraq by JW Oh <[email protected]> on Fri, 10 Nov 2000. |
| Vulnerable: |
Bill Kendrick GBook.cgi 1.0 |
| Not Vulnerable: | |
Discussion
gbook.cgi Remote Command Execution Vulnerability
Bill Hendrick's gbook.cgi is a guestbook script used by certain websites to log visitor names, comments and similar information.
Gbook.cgi fails to properly validate user-supplied input to the script's _MAILTO parameter. This allows a malicious user to append a ';' character to the definition of the _MAILTO field, followed by text containing malicious shell commands. These will be executed as the webserver, providing the attacker with an elevation of privileges, and, if properly exploited, allowing more serious compromises of the host system..
Bill Hendrick's gbook.cgi is a guestbook script used by certain websites to log visitor names, comments and similar information.
Gbook.cgi fails to properly validate user-supplied input to the script's _MAILTO parameter. This allows a malicious user to append a ';' character to the definition of the _MAILTO field, followed by text containing malicious shell commands. These will be executed as the webserver, providing the attacker with an elevation of privileges, and, if properly exploited, allowing more serious compromises of the host system..
References
gbook.cgi Remote Command Execution Vulnerability
References:
References: