Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bsscript.htm

BS Scripts Multiple CGI execute arbitrary code

    BS Scripts


    BS Scripts Multiple CGI


    Following  has  been  discovered  by  Elf.   There are a couple of
    scripts from bsScripts, that have holes in them because the author
    did not filter out ; from  the form input.  The scripts  that this
    affects are  bsguest (a  guestbook script)  and bslist  (a mailing
    list script).  The hole  allows anyone to execute commands  on the

    BSGuest does not filter out ; resulting in the ability for anyone
    to execute commands on the server.  The attacker just enters his
    email address as;/usr/sbin/sendmail < /etc/passwd

    It's important to point out  that just filtering out the  ';' char
    doesn't fix the  problem.  Think  about using '&'  or '&&' instead
    of it...


    The author has been informed and the holes are now patched in  the
    latest release.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH