Unix Manual PHP-Script does not adequately validate user input thereby allowing arbitrary command execution

2002-09-26T00:00:00
ID VU:672419
Type cert
Reporter CERT
Modified 2002-09-26T00:00:00

Description

Overview

User Manual does not adequately validate user input, allowing attackers to execute arbitrary commands on the server.

Description

Unix Manual (as known as manual.php) is a PHP script used to lookup and display man pages on the web. User Manual does not adequately filter user input before passing it to the shell, allowing attackers to submit and execute arbitrary commands on the server.


Impact

Remote attackers can execute arbitrary commands on the server with privileges of the web server process.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Marcus S. Xenakis| | -| 24 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.securityfocus.com/bid/3718>

Credit

Thanks to Florian Hobelsberger of BlueScreen for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CAN-2001-1214
  • Date Public: 15 Dec 2001
  • Date First Published: 26 Sep 2002
  • Date Last Updated: 26 Sep 2002
  • Severity Metric: 4.28
  • Document Revision: 4