Japan Vulnerability NotesJVN:81294906JVN#81294906 Homepage Builder sample CGI programs vulnerable to OS command injection
Among sample CGI programs included in Homepage Builder, anketo.cgi, kansou.cgi, and order.cgi contain an OS command injection vulnerability as they do not properly validate input data.
Impact
An arbitrary command could be executed on the web server with the privilege of the web server process.
Solution
Apply the Patch
Apply the patch named "HPBCGIFIX " or manually fix the CGI programs installed on the server by following the instructions provided by the vendor.
"HPBCGIFIX " fixes the CGI sample programs in the sample folder. CGI programs customized or copied to a userβs folder must be manually fixed.
For more information, please refer to the vendorβs website βHow to fix sample CGI of Homepage Builderβ
Products Affected
Servers deploying the sample CGI programs are affected.
- Homepage Builder - 11
- Homepage Builder - 10
- Homepage Builder - 10 Lite
- Homepage Builder - V9
- Homepage Builder - V9 Lite
- Homepage Builder - V8
- Homepage Builder - V8 Lite
- Homepage Builder - V7
- Homepage Builder - V7 Lite
- Homepage Builder V6.5 with HotMedia
- Homepage Builder V6.5 with HotMedia Lite
- Homepage Builder - V6
- Homepage Builder - V6 Lite
- Homepage Builder - 2001
- Homepage Builder - 2000
- Homepage Builder - V3
- Homepage Builder - V2 Value Pack
According to the vendor, it is confirmed that vulnerable CGI sample programs are not included in the demo versions of each product.