Home page logo
/

bugtraq logo Bugtraq mailing list archives

vuln in wwwisis: remote command execution and get files
From: Klaus Ripke <krip () openisis org>
Date: Thu, 28 Mar 2002 17:26:57 +0100

Name               : wwwisis remote command execution and get files
Software Package   : wwwisis
possibly affected  : JavaISIS and other tools based on wwwisis
Vendor Homepage    : http://www.bireme.br/isis/I/wwwi.htm
Vulnerable Versions: 3.45 verified, probably others
Platforms          : Linux verified, probably others
Vulnerability Type : Input Validation Error
Vendor Contacted   : 28 Feb 2002
Vendor Replied     : 01 Mar 2002



CONTACT INFORMATION
===============================================================================

Name                   : Klaus Ripke
E-mail                 : krip () openisis org

Vendor contact name    : Abel Laerte Packer
Vendor contact e-mail  : abel () brm bireme br



TECHNICAL INFO
===============================================================================


Introduction:

wwwisis runs as cgi to query mostly bibliographical databases.
Deployed on probably some hundred systems or more.
While this vuln is probably currently not being exploited,
it's possible to install workarounds right now,
therefore this information is published.


Summary:

In common setups of wwwisis, query parameters can be forged
to have wwwisis execute any (shell) command and display any
readable file as allowed for the user of the cgi process.
Vulnerability can be avoided with careful setup.


Description:

Input parameters from query string are not checked for bad input.
In common plain-vanilla setups such as the examples in the manual,
it is possible to have the process execute any format as sent by the
remote user. The formatting language has some too powerful functions.
There is also an alternate attack possibility abusing PATH_INFO.


Impact:

Ability to execute any command and get any file as allowed for
the cgi process.


Exploits:

Since there is not yet a fix published,
and the vuln is probably currently not being exploited,
details are to follow at a later time.


Workaround:

Avoid wwwisis being called directly -- wrap it up in a perl -t script.
Wipe out any suspicious stuff from query params, clean up the ENV,
then exec wwwisis with a list of params. Read the perlsec manpage.


Vendor Status:

Bireme will check it out.


  By Date           By Thread  

Current thread:
  • vuln in wwwisis: remote command execution and get files Klaus Ripke (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault