Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Geac ADVANCE library system security HOLE
From: damian () DLK COM AU (Damian Kelly)
Date: Sat, 4 Apr 1998 10:40:26 +1000



While i was messing around with a Univeristy Library system (specifically
a Geac ADVANCE (3.01) ) i was trying to shell out to UNIX (Geac Computer
Corporation Limited is a company that makes UNIX based library automation
systems for public, academic, and special libraries. For more information
you can visit their website at http://www.geac.com) i tried some control characters and i noticed
that if you press "CTRL-v", the library system shells out to some
environment with a "::" prompt (i haven't tried to figure out what it is.).

Then i tried some commands like "LS", "HELP", "CD" ... NO LUCK. Anyway, if
you type "Q" the system shells you somewhere else with a ">" prompt.

FYI,

You have landed at the Universe prompt (underlying database of Geac).
Basically a variant of Pick.

This indicates a poorly configured system:

a) All exit control key combinations not correctly disabled
b) Accounts with access to the Geac shell (Universe/application) should be
via a custom C executable or Perl script, not a normal Unix shell.

(I administered a large Geac system for some years).

What you describe probably would work on any badly configured Universe
system. Geac is not the only user of Universe. It is quite common in some
applications.

Damian



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault