HTML::Merge Input Validation Hole in 'printsource.pl' Lets Remote Users Execute Commands
|
|
SecurityTracker Alert ID: 1012014 |
|
SecurityTracker URL: http://securitytracker.com/id/1012014
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Nov 1 2004
|
Original Entry Date: Oct 31 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.0 - 3.42
|
Description:
A vulnerability was reported in HTML::Merge. A remote user can execute shell commands on the target system.
The vendor reported that 'printsource.pl' does not properly validate user-supplied input in the 'template' parameter. A remote user can supply specially crafted input to execute shell commands on the target system with the privileges of the target web service.
|
Impact:
A remote user can execute shell commands on the target system with the privileges of the target web service.
|
Solution:
The vendor has released a fixed version (3.43), available at:
http://sourceforge.net/project/showfiles.php?group_id=47854
A patch is also available at:
http://sourceforge.net/tracker/download.php?group_id=47854&atid=451105&file_id=106241&aid=1052924
|
Vendor URL: www.raz.co.il/razinf/merge-overview.html?sid=sf.js.doc (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 31 Oct 2004 02:16:14 -0500
Subject: http://sourceforge.net/forum/forum.php?forum_id=417078
|
Patch for printsource.pl security problem
|
|
