Recent Shell Command Execution vulnerabilities

Here is short summary of recent Shell Command Execution vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

Multiple flaws in Leif M. Wright Blog.

Description.

All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.

"blog.cgi" script dont make password comparisson when identifying administrator by cookie.

Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.

System access is possible.

Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.

Exploit.

Url example:

http://[host]/cgi-bin/blog/blogconfig.txt

Cookie: blogAdmin=true

Sendmail: /bin/ls


GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter%20my%20comment

Solution

Solution is not available.

Other details >>

Guestex Shell Command Execution Vulnerability.

Description.

Vulnerable Script: guestex.pl

Variable $form{'email'} isn't properly sanitized. This can be used to execute arbitrary shell commands.

System access is possible.

Exploit.

When adding new record:

email: some@email.com;[command]

Solution

Solution is not available.

Other details >>

Arbitrary Shell Command Execution in MyQuiz.

Description.

Vulnerable Script: myquiz.pl

Variable $ENV{'PATH_INFO'} isn't properly sanitized. This can be used to execute arbitrary commands.

System access is possible.

Exploit.

Url Example:

http://host/cgi-bin/myquiz.pl/ask/;command|

Solution.

Vendor-provided solution is available now.

New version of script can be downloaded here:

http://www.corantodemo.net/coranto/viewnews.cgi?id=EpApAAAVkyirPGThSf&style=dldetails

Other details >>
Advisories by vuln type

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>