Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: kwwhois1.htm

KW Whois - execute commands as the webserver



Vulnerability

    KW Whois

Affected

    KW Whois 1.0

Description

    Mark  Stratman  found  following.   There  is  a  vulnerability in
    Kootenay Web Inc's KW Whois  v1.0 which allows malicious users  to
    execute commands as the uid/gid  of the webserver.  The  hole lies
    in unchecked user input via an  input form box.  The form  element
    <input type=text name="whois">  is not checked  by the script  for
    unsafe characters.

    Unsafe code:

        $site = $query->param('whois');
        ....
        $app = `whois $site`;
        print "$app .......

    Proof of concept:  Type ";id" (without the quotes) into the  input
    box.

Solution

    Parse out  unsafe characters  in $query->param  with standard  cgi
    checking (see http://www.n3t.net/programming/).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH