| VID |
21265 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
WebWho+ CGI script, webwho.pl is vulnerable to a remote execution vulnerability.
WebWho+ is a free XFI script written by Tony Greenwood for executing whois queries via the www. Though it does perform checks for shell escape characters on some parameters, it misses the 'type' variable and allows for malicious input to be sent to a shell. It could allow remote attackers to execute arbitrary commands on a webserver running WebWho+ v1.1 with the uid of the webserver (usually nobody).
* Platforms Affected:
WebWho+ 1.1
* References:
http://www.securityfocus.com/archive/1/39839 |
| Recommendation |
Obtain and install the latest version of WebWho+ from the WebWho+ website at http://www.webwho.co.uk
WebWho+ author Tony Greenwood states that this issue was resolved within one week from the advisory release, and that the bug no longer appears in all scripts released after February 2000. |
| Related URL |
CVE-2000-0010 (CVE) |
| Related URL |
3748 (SecurityFocus) |
| Related URL |
892 (ISS) |
|
