Alchemy Eye HTTP Server does not adequately validate user input thereby allowing remote command execution

2002-09-27T00:00:00
ID VU:220715
Type cert
Reporter CERT
Modified 2003-09-18T00:00:00

Description

Overview

Alchemy Eye does not properly validate HTTP requests, allowing arbitrary command execution.

Description

Alchemy Eye includes an HTTP server for remote system monitoring and control. In versions 2.0 through 2.6 of Alchemy Eye, the HTTP server component does not adequately validate HTTP requests, allowing attackers to execute arbitrary commands.


Impact

Remote attackers can execute arbitrary commands on the server.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Alchemy Lab| | -| 25 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.rapid7.com/advisories/R7-0001.txt>
  • <http://www.securityfocus.com/bid/3599>
  • <http://www.alchemy-lab.com/products/eye/>
  • <http://www.deksoftware.com/alchemy/>

Credit

Thanks to Rapid 7 for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CAN-2001-0871
  • Date Public: 29 Nov 2001
  • Date First Published: 27 Sep 2002
  • Date Last Updated: 18 Sep 2003
  • Severity Metric: 6.50
  • Document Revision: 6