| VID |
210072 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ServerView software is vulnerable to an arbitrary command execution vulnerability in the 'SnmpListMibValues' script. Fujitsu Siemens ServerView is a web-based suite of asset management tools. ServerView versions prior to 4.50.09 could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input passed to the 'Servername' parameter of the 'SnmpView/SnmpListMibValues' script and the 'Parameterlist' parameter of the 'DBAsciiAccess' script. By sending a specially-crafted URL request using these vulnerabilities, a remote attacker could inject and execute arbitrary shell commands on the affected host with the privileges of the web server.
* References:
http://www.securityfocus.com/archive/1/472800/30/0/threaded
http://www.redteam-pentesting.de/advisories/rt-sa-2007-002.php
http://www.frsirt.com/english/advisories/2007/2441
http://secunia.com/advisories/25944
* Platforms Affected:
Fujitsu Siemens Computers, ServerView versions prior to 4.50.09
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Fujitsu ServerView (4.50.09 or later), available from the Fujitsu ServerView Web site at http://www.fujitsu-siemens.com/products/standard_servers/system_management/index.html |
| Related URL |
CVE-2007-3011 (CVE) |
| Related URL |
24762 (SecurityFocus) |
| Related URL |
35257 (ISS) |
|
