CGIScript.net csNews.cgi Advanced Settings Command Execution

2002-06-11T00:00:00
ID OSVDB:8132
Type osvdb
Reporter Steve Gustin(stegus1@yahoo.com)
Modified 2002-06-11T00:00:00

Description

Vulnerability Description

csNews contains a flaw that will allow an attacker to execute arbitrary code. The problem is that the contents of text fields in the advanced settings are not verified properly and will allow an attacker to inject arbitrary perl code.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

csNews contains a flaw that will allow an attacker to execute arbitrary code. The problem is that the contents of text fields in the advanced settings are not verified properly and will allow an attacker to inject arbitrary perl code.

Manual Testing Notes

Any user with access to the advanced setting (granted with anonymous access, user access, or admin access) can execute perl and system commands by adding the following to any text field: \"; PERL_CODE_HERE \"

References:

Vendor URL: http://www.cgiscript.net Security Tracker: 1004516 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html ISS X-Force ID: 8636 CVE-2002-0924 Bugtraq ID: 4451