WebGlimpse command injection vulnerability

2012-03-20T00:00:00
ID VU:364363
Type cert
Reporter CERT
Modified 2012-03-27T20:22:00

Description

Overview

Webglimpse, a web site search application, contains a command injection vulnerability.

Description

The webglimpse.cgi script contains a command injection vulnerability. An attacker can use a specifically crafted query URL parameter to run system commands. The results of the command will be displayed in the resulting web page.

An example of the query parameter is below:
query=%27%26command+and+arguments+go+here%26%27

It has been reported that this vulnerability is being exploited in the wild.


Impact

An attacker may be able to run operating system commands under the context of the user running the web server. It has been reported that attackers are leveraging this vulnerability to install PHP backdoors on affected web servers.


Solution

Apply an Update

Webglimpse version 2.20.0 has been released to address this vulnerability.


Vendor Information

364363

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

WebGlimpse Affected

Notified: February 14, 2012 Updated: March 20, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5 | AV:N/AC:--/Au:N/C:C/I:C/A:P
Temporal | 4.3 | E:H/RL:OF/RC:C
Environmental | 4.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • <http://webglimpse.net/>
  • <http://cwe.mitre.org/data/definitions/78.html>

Acknowledgements

Thanks to Kevin Perry for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: | None
---|---
Severity Metric: | 3.38
Date Public: | 2012-03-20
Date First Published: | 2012-03-20
Date Last Updated: | 2012-03-27 20:22 UTC
Document Revision: | 26