Auction Weaver auctionweaver.pl fromfile Execute Arbitrary Command

2000-08-30T00:00:00
ID OSVDB:4052
Type osvdb
Reporter teleh0r(teleh0r@doglover.com)
Modified 2000-08-30T00:00:00

Description

Vulnerability Description

Auction Weaver Lite contains a flaw that allows a remote attacker to execute arbitrary commands. The issue is due to the auctionweaver.pl script not properly sanitizing input to the "formfield" variable. By manipulating the input provided to the variable, an attacker can provide arbitray commands that will be executed with the privilege of the web server.

Solution Description

Upgrade to version 1.06 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Auction Weaver Lite contains a flaw that allows a remote attacker to execute arbitrary commands. The issue is due to the auctionweaver.pl script not properly sanitizing input to the "formfield" variable. By manipulating the input provided to the variable, an attacker can provide arbitray commands that will be executed with the privilege of the web server.

References:

Vendor URL: http://www.siteinteractive.com/awl/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-08/0370.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-08/0407.html ISS X-Force ID: 6175 CVE-2000-0690 Bugtraq ID: 1645