FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
BID:9925
Info
FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
| Bugtraq ID: | 9925 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 19 2004 12:00AM |
| Updated: | Mar 19 2004 12:00AM |
| Credit: | Discovery of this issue has been credited to Dominik Vogt <[email protected]>. |
| Vulnerable: |
FVWM FVWM 2.5.8 FVWM FVWM 2.4.17 |
| Not Vulnerable: | |
Discussion
FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
It has been reported that the FVWM 'fvwm_make_directory_menu.sh' script is prone to a command execution vulnerability. This issue is due to the script allowing a user to define which application should be used to execute the file via its filename.
An attacker may be able to leverage this issue to cause arbitrary commands to be executed with the privileges of a victim user.
This issue is related to the issue described in BID 9161.
It has been reported that the FVWM 'fvwm_make_directory_menu.sh' script is prone to a command execution vulnerability. This issue is due to the script allowing a user to define which application should be used to execute the file via its filename.
An attacker may be able to leverage this issue to cause arbitrary commands to be executed with the privileges of a victim user.
This issue is related to the issue described in BID 9161.
Exploit / POC
FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
No exploit is required to leverage this issue. The following action is reported to create a file that is sufficient to trigger this condition:
$ touch 'Exec xmessage "0wn3d"'
No exploit is required to leverage this issue. The following action is reported to create a file that is sufficient to trigger this condition:
$ touch 'Exec xmessage "0wn3d"'
Solution / Fix
FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
FVWM fvwm_make_directory_menu.sh Scripts Command Execution Vulnerability
References:
References:
- FVWM Homepage (FVWM)