| VID |
21733 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebHints program is vulnerable to a command execution vulnerability in the hints.pl script. WebHints allows you to easily set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. WebHints version 1.03 and earlier versions could allow a remote attacker to execute arbitrary system commands, caused by improper validation of user-supplied input passed to the hints.pl script. A remote attacker could inject shell meta-characters ('I' or ';') to execute arbitrary shell commands on the system with privileges of the Web server process.
* References:
http://www.securitytracker.com/alerts/2005/Jun/1014173.html
http://www.securityfocus.com/archive/1/401940
* Platforms Affected:
WebScripts, WebHints version 1.03 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of October 2005.
Upgrade to a version of WebHints greater than 1.03, when new fixed version becomes available from the WebHints Web site at http://awsd.com/scripts/webhints/index.shtml |
| Related URL |
CVE-2005-1950 (CVE) |
| Related URL |
13930 (SecurityFocus) |
| Related URL |
20987 (ISS) |
|
