{"title": "Jason Maloney Guestbook Arbitrary Command Execution ", "published": "2003-12-01T04:23:29", "references": [], "type": "osvdb", "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2017-04-28T13:19:57"}, "dependencies": {"references": [], "modified": "2017-04-28T13:19:57"}, "vulnersScore": 1.0}, "cvelist": [], "viewCount": 0, "affectedSoftware": [{"version": "0.x", "name": "Guestbook", "operator": "eq"}, {"version": "3.0", "name": "Guestbook", "operator": "eq"}, {"version": "2.x", "name": "Guestbook", "operator": "eq"}, {"version": "1.x", "name": "Guestbook", "operator": "eq"}], "hash": "9766cda643863d84dbefc5c7006f0996123b808f012e6c6136340fedc18435ee", "id": "OSVDB:2889", "modified": "2003-12-01T04:23:29", "history": [], "href": "https://vulners.com/osvdb/OSVDB:2889", "hashmap": [{"hash": "14df65a6711977e373a6418bcda0fc54", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "c60cf6a82d637b834a8c1706c81150dc", "key": "description"}, {"hash": "afaedb209056497fde989d3752a5cc19", "key": "href"}, {"hash": "d405ebfc60513b00c85223b5206062e9", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "d405ebfc60513b00c85223b5206062e9", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "955b328dc7cd615c13af5464c9183464", "key": "reporter"}, {"hash": "39685fbe210d213d3abb7111d0e5b58c", "key": "title"}, {"hash": "1327ac71f7914948578f08c54f772b10", "key": "type"}], "objectVersion": "1.2", "edition": 1, "description": "## Vulnerability Description\nThe vulnerability occurs in the routine that reads and converts user input from hexidecimal. The routine assigns values to all variable names accordingly as specified in the HTTP POST request (guestbook posts are POSTed). An attacker can send a hand crafted POST request which will execute arbitrary commands on the server.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Replace the vulnerable code in the guestbook so that it checks the values of the important variables after user input. Sample code is available.\n## Short Description\nThe vulnerability occurs in the routine that reads and converts user input from hexidecimal. The routine assigns values to all variable names accordingly as specified in the HTTP POST request (guestbook posts are POSTed). An attacker can send a hand crafted POST request which will execute arbitrary commands on the server.\n## References:\n[Secunia Advisory ID:10336](https://secuniaresearch.flexerasoftware.com/advisories/10336/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-11/0356.html\nISS X-Force ID: 13886\nBugtraq ID: 9139\n", "bulletinFamily": "software", "reporter": "OSVDB", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-04-28T13:19:57"}

{}