(Vendor Issues Fix) CVSTrac Input Validation Hole Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1010892
|
|
SecurityTracker URL: http://securitytracker.com/id?1010892
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 7 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.1.3
|
Description: A vulnerability was reported in CVSTrac. A remote user can execute arbitrary commans on the target system.
Richard Ngo reported that the software does not properly validate user-supplied input before executing code based on the input.
A remote user can submit a specially crafted request to execute operating system commands on the target system.
A demonstration
exploit is provided:
filediff?f=CVSROOT/rcsinfo&v1=1.1&v2=1.2;w;
|
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
|
Solution: The vendor has issued a fix, available via CVS. A fixed version (1.1.4 or later) is also available at:
http://www.cvstrac.org/cvstrac-src.tar.gz
|
Vendor URL: www.cvstrac.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Richard Hipp <drh@hwaci.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: 6 Aug 2004 16:51:16 -0000
From: Richard Hipp <drh@hwaci.com>
Subject: Re: CVStrac Remote Arbitrary Code Execution exploit
|
In-Reply-To: <20040805175709.6995.qmail@web50508.mail.yahoo.com>
>Received: (qmail 8445 invoked from network); 5 Aug 2004 19:10:40 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 5 Aug 2004 19:10:40 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 465CF1437C6; Thu, 5 Aug 2004 12:02:39 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 25727 invoked from network); 5 Aug 2004 11:48:48 -0000
>Message-ID: <20040805175709.6995.qmail@web50508.mail.yahoo.com>
>Date: Thu, 5 Aug 2004 10:57:09 -0700 (PDT)
>From: Richard Ngo <rtngo@yahoo.com>
>Subject: CVStrac Remote Arbitrary Code Execution exploit
>To: vulndb@securityfocus.com
>Cc: bugtraq@securityfocus.com
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Hi, Im Richard Ngo, this is the first time i report an
>exploit and found a remote exploit that could allow
>arbitrary code execution in CVStrac.
>sample exploit
>filediff?f=CVSROOT/rcsinfo&v1=1.1&v2=1.2;w;
>All versions vulnerable. I have not contacted
>cvstrac.org since i cant find their email address.
>Please give me credit for the exploit and *please dont
>release the exploit code to the public* for other
>websites security. Maybe just create an advisory.
>Thank you.
The problem has been patched in the CVS archive and
in version 1.1.4 of CVSTrac.
|
|
