Super Site Searcher Input Validation Hole Lets Remote Users Execute Arbitrary Shell Commands on the Server - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Super Site Searcher

Vendors: Independent Solution, The

Super Site Searcher Input Validation Hole Lets Remote Users Execute Arbitrary Shell Commands on the Server

SecurityTracker Alert ID: 1005190

SecurityTracker URL: http://securitytracker.com/id/1005190

CVE Reference: CVE-2002-2420 (Links to External Site)

Updated: Jun 3 2008

Original Entry Date: Sep 5 2002

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Description: An input validation vulnerability was reported in Super Site Searcher and Simple Site Searcher. A remote user can execute arbitrary commands on the system.

SecurityFocus reported that Super Site Searcher does not properly filter user-supplied input from query string parameters in a URL request. A remote user can create a specially crafted query string that will cause commands to be executed by the operating system shell.

A demonstration exploit URL is provided:

http://target/searchenginepath/site_searcher.cgi?page=|command|

SecurityFocus credits luca.ercoli [at] inwind.it with reporting the flaw but did not indicate where this information has been published.

Impact: A remote user can execute arbitrary shell commands on the server with the privileges of the web server.

Solution: No solution was available at the time of this entry.

Vendor URL: www.supercgis.com/site_searcher/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Thu, 05 Sep 2002 10:28:10 -0400
Subject: Super Site Searcher Bug


SecurityFocus reported a vulnerability in Independent Solution Simple
Site Searcher and Independent Solution Super Site Searcher.  A remote
user can execute arbitrary commands on the system.

It is reported that Super Site Searcher does not properly filter
user-supplied input from query string parameters in a URL request.  A
remote user can create a specially crafted query string that will cause
commands to be executed by the operating system shell.

A demonstration exploit URL is provided:

http://target/searchenginepath/site_searcher.cgi?page=|command|

SecurityFocus credits luca.ercoli [at] inwind.it with reporting the
flaw.  SecurityFocus did not indicate where this information has been
published.

Vendor URL:  http://www.supercgis.com/site_searcher/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC