Alchemy Eye HTTP Server does not adequately validate user input thereby allowing remote command execution

ID VU:220715
Type cert
Reporter CERT
Modified 2003-09-18T00:00:00



Alchemy Eye does not properly validate HTTP requests, allowing arbitrary command execution.


Alchemy Eye includes an HTTP server for remote system monitoring and control. In versions 2.0 through 2.6 of Alchemy Eye, the HTTP server component does not adequately validate HTTP requests, allowing attackers to execute arbitrary commands.


Remote attackers can execute arbitrary commands on the server.


The CERT/CC is currently unaware of a practical solution to this problem.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Alchemy Lab| | -| 25 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>
  • <>
  • <>


Thanks to Rapid 7 for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CAN-2001-0871
  • Date Public: 29 Nov 2001
  • Date First Published: 27 Sep 2002
  • Date Last Updated: 18 Sep 2003
  • Severity Metric: 6.50
  • Document Revision: 6