DailyDose Input Validation Flaw in $template Variable Permits Remote OS Command Execution
|
|
SecurityTracker Alert ID: 1008141 |
|
SecurityTracker URL: http://securitytracker.com/id/1008141
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 10 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description:
An input validation vulnerability was reported in the DailyDose script. A remote user can execute commands on the target system.
Alexey Sintsov aka Don_Huan reported that the script does not properly validate user-supplied input from the query string. A remote user can supply a specially crafted template file name containing operating system commands to the target system to execute arbitrary commands on the target system. The commands will run with the privileges of the target web server.
A demonstration exploit URL is provided:
http://[target]/cgi-bin/dose.pl?daily&somefile.txt&|ls|
|
Impact:
A remote user can execute arbitrary operating system commands on the target server with the privileges of the target server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.onlinearts.net/freeware/PERL/DailyDose/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 9 Nov 2003 15:58:41 -0000
Subject: DailyDose v 1.1
|
Bug is found in this script:
DailyDose v 1.1 (by www.onlinearts.net)
The script (dose.pl) does not check the input:
$data=$ENV{'QUERY_STRING'};
($command,$list,$temp, $id) = split ("&",$data,4);
. . .
local ($template) = "$tempdir/$temp";
open(TEMPL, "$template") || print "no file found $template!";
#open without check var. $temp
Example (listing):
http://www.someserver.com/cgi-bin/dose.pl?daily&somefile.txt&|ls|
--------------------------
Alexey Sintsov aka Don_Huan
huan@xp-team.spb.su
|
|
