Re: Remote command execution via KW Whois 1.0 (addition)

[Mark Stratman <mstrat1 () UIC EDU>]

Sorry to have to post again, this is just an addition for the sake of
completeness.

KW Whois url: http://www.kootenayweb.bc.ca/scripts/whois.html

Fix:
Parse out unsafe characters in $query->param with standard cgi checking
(see http://www.n3t.net/programming/)
        
On Sun, 29 Oct 2000, Mark Stratman wrote:

> Greetings,
>
> There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
> malicious users to execute commands as the uid/gid of the webserver.
> The hole lies in unchecked user input via an input form box.
> The form element <input type=text name="whois"> is not checked by the
> script for unsafe characters.
> Unsafe code:
> $site = $query->param('whois');
> ....
> $app = `whois $site`;
> print "$app .......
>
> Proof of concept:
>       Type ";id" (without the quotes) into the input box.
>
> cheers.
> Mark Stratman (count0)
> (mstrat1 () uic edu)
> http://sporkstorms.org