SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   pngren Vendors:   pngren
pngren 'kaiseki.cgi' Input Validation Hole Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014426
SecurityTracker URL:  http://securitytracker.com/id/1014426
CVE Reference:   CVE-2005-2205   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 8 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in pngren in the 'kaiseki.cgi' script. A remote user can execute arbitrary commands on the target system.

The ReadLog() function does not properly validate the user-supplied 'log' parameter before making an open() call. A remote user can supply a specially crafted URL to execute arbitrary commands on the target system. The commands will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/cgi-bin/kaiseki.cgi?file.exetension|command|

http://[target]/cgi-bin/kaiseki.cgi?|command|

The vendor was notified on July 7, 2005.

blahplok reported this vulnerability.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aurora.dti.ne.jp/~zom/png/pngren/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  *


 vulnerability

Vendor URL    :  http://www.aurora.dti.ne.jp/~zom/Counter/
Vulnerability :  Remote Command Execution
Risk          :  High


==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to Kaiseki.cgi script.

Problem:

There is no filtering special character when open file in sub ReadLog.
Vulnerable code :

sub ReadLog
{
.......
.......

	$imaLog = $$log;
	if(!open(IN, "./$main::logdir/$imaLog"))
	{
.......
.......
}

Fix :

add :
$$log =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;

before :
$imaLog = $$log;
if(!open(IN, "./$main::logdir/$imaLog"))
{
.....
}

Example exploitasion :

http://[target]/cgi-bin/kaiseki.cgi?file.exetension|command|
or
http://[target]/cgi-bin/kaiseki.cgi?|command|


June 2005   : bug found
July 7 2005 : vendor contact
July 7 2005 : Vendor respon
July 2005   : ----------

==================================================================

by blahplok

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC