Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   pngren Vendors:   pngren
pngren 'kaiseki.cgi' Input Validation Hole Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014426
SecurityTracker URL:
CVE Reference:   CVE-2005-2205   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 8 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in pngren in the 'kaiseki.cgi' script. A remote user can execute arbitrary commands on the target system.

The ReadLog() function does not properly validate the user-supplied 'log' parameter before making an open() call. A remote user can supply a specially crafted URL to execute arbitrary commands on the target system. The commands will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:



The vendor was notified on July 7, 2005.

blahplok reported this vulnerability.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  *


Vendor URL    :
Vulnerability :  Remote Command Execution
Risk          :  High

An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to Kaiseki.cgi script.


There is no filtering special character when open file in sub ReadLog.
Vulnerable code :

sub ReadLog

	$imaLog = $$log;
	if(!open(IN, "./$main::logdir/$imaLog"))

Fix :

add :
$$log =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;

before :
$imaLog = $$log;
if(!open(IN, "./$main::logdir/$imaLog"))

Example exploitasion :


June 2005   : bug found
July 7 2005 : vendor contact
July 7 2005 : Vendor respon
July 2005   : ----------


by blahplok


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC