SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Web-Portal-System (WPS) Vendors:   Web Site Engineering GmbH
Web-Portal-System 'wps_shop.cgi' Remote Command Execution
SecurityTracker Alert ID:  1014480
SecurityTracker URL:  http://securitytracker.com/id/1014480
CVE Reference:   CVE-2005-2290   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 14 2005
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.7.0
Description:   blahplok reported a vulnerability in Web-Portal-System (WPS). A remote user can execute arbitrary commands on the target system.

The showartikel() function in the 'wps_shop.cgi' script does not properly validate user-supplied information in the 'art' and 'cat' parameters. A remote user can supply specially crafted parameter values to execute arbitrary operating system commands on the target system. The commands will run with the privileges of the target web service.

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.web-site-engineering.de/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands


WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability

Vendor URL    :  http://www.pcdoc24.de (vendor website seem down)
Vulnerability :  Remote Command Execution
Risk          :  High


==================================================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to wps_shop.cgi script.

Problem:

There is no filtering special character when open file in sub showartikel.
Vulnerable code :

###########
sub showartikel {
###########
	cartfooter();
	open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); 
	lock(DATA); 
.......................................
.......................................

}

Fix :

add :
$info{'art'} =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go;

before :
open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); 
}



Juni 2005   : bug found
Vendor website seem down and this hole not comfirmed to vendor
July 2005   : -----------

==================================================================

SELAMAT ULANG TAHUN BUAT 'PRABA ALKAUSAR HG'
SEMOGA BISA MENJADI MENUSIA BERGUNA... AMIENNN...

bug found and reported by blahplok@yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC