Yarssr GUI.PM Remote Code Injection Vulnerability
BID:26273
Info
Yarssr GUI.PM Remote Code Injection Vulnerability
| Bugtraq ID: | 26273 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5837 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 31 2007 12:00AM |
| Updated: | Jan 28 2008 07:07PM |
| Credit: | Duncan Gilmore is credited with the discovery of this vulnerability. |
| Vulnerable: |
Yarssr Yarssr 0.2.2 |
| Not Vulnerable: | |
Discussion
Yarssr GUI.PM Remote Code Injection Vulnerability
Yarssr is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to inject and execute arbitrary malicious Perl code with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer; other attacks are also possible.
Yarssr 0.2.2 is vulnerable; other versions may also be affected.
Yarssr is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to inject and execute arbitrary malicious Perl code with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer; other attacks are also possible.
Yarssr 0.2.2 is vulnerable; other versions may also be affected.
Exploit / POC
Yarssr GUI.PM Remote Code Injection Vulnerability
An attacker must entice an unsuspecting victim into subscribing to a malicious RSS feed.
The following exploit code is available:
An attacker must entice an unsuspecting victim into subscribing to a malicious RSS feed.
The following exploit code is available:
Solution / Fix
Yarssr GUI.PM Remote Code Injection Vulnerability
Solution:
Please see the references for vendor advisories.
Solution:
Please see the references for vendor advisories.
References
Yarssr GUI.PM Remote Code Injection Vulnerability
References:
References:
- Security bug: Code Injection through badly formatted URL (Debian)
- Yarssr Homepage (Yarssr)
- Yarssr Sourceforge Homepage (Yarssr)