Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Remote command execution via KW Whois 1.0

From: Mark Stratman <mstrat1 () UIC EDU>
Date: Sun, 29 Oct 2000 04:30:49 -0600
Greetings,

There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
malicious users to execute commands as the uid/gid of the webserver.
The hole lies in unchecked user input via an input form box.
The form element <input type=text name="whois"> is not checked by the
script for unsafe characters.
Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......

Proof of concept:
        Type ";id" (without the quotes) into the input box.

cheers.
Mark Stratman (count0)
(mstrat1 () uic edu)
http://sporkstorms.org
Previous By Date Next
Previous By Thread Next

Current thread: