BID:30964

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

Info

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

Bugtraq ID:	30964
Class:	Input Validation Error
CVE:	CVE-2008-3907
Remote:	Yes
Local:	No
Published:	Sep 01 2008 12:00AM
Updated:	Sep 22 2008 08:59PM
Credit:	J.H.M. Dassen
Vulnerable:	Newsbeuter Newsbeuter 1.0 Gentoo Linux

Not Vulnerable:	Newsbeuter Newsbeuter 1.1

Discussion

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

Newsbeuter is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.

Attackers can exploit this issue to execute arbitrary shell commands in the context of the vulnerable application. This may facilitate the remote compromise of affected computers.

This issue affects Newsbeuter 1.0; previous versions may also be vulnerable.

Exploit / POC

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

An attacker can use standard tools to create a malicious URI in an RSS feed and then entice a user to follow it.

Solution / Fix

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

Solution:
The vendor has released an update. Please see the references for more information.

References

Newsbeuter Crafted URI Remote Arbitrary Shell Command Injection Vulnerability

References:

Newsbeuter 1.1 released: contains security fix, please upgrade (Newsbeuter)
Newsbeuter Homepage (Newsbeuter)