Multiple Vendor Global global.cgi Command Execution

2000-10-24T00:00:00
ID OSVDB:6486
Type osvdb
Reporter Shigio Yamaguchi(shigio@tamacom.com)
Modified 2000-10-24T00:00:00

Description

Vulnerability Description

The Global package global.cgi contains a flaw that may allow a malicious user to execute arbitrary shell commands. The issue is triggered due to due to insufficient handling of quoted or escaped characters in this version, and command line arguments are then handed off to shell commands. It is possible that the flaw may allow remote command execution resulting in a loss of integrity

Solution Description

Upgrade to the newest version of global-4.0.1, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): modify the file 'HTML/cgi-bin/global.cgi' around line 35, and change the generated HTML from: $pattern =~ s/'//g; # to shut security hole to $pattern =~ s/"//g; # to shut security hole

Short Description

The Global package global.cgi contains a flaw that may allow a malicious user to execute arbitrary shell commands. The issue is triggered due to due to insufficient handling of quoted or escaped characters in this version, and command line arguments are then handed off to shell commands. It is possible that the flaw may allow remote command execution resulting in a loss of integrity

References:

Vendor URL: http://www.tamacom.com/global/ Vendor Specific Advisory URL Vendor Specific Advisory URL ISS X-Force ID: 5424 CVE-2000-0952