OSVDB ID: 9773

Title: Whois Internic Lookup whois.cgi Domain Entry Arbitrary Command Execution

Info

Disclosure

Nov 09, 1999

Discovery

Unknown

Dates

Exploit

Nov 09, 1999

Solution

Unknown

Description

Ranson Johnson's Whois Internic Lookup CGI contains a flaw that may allow a malicious user to execute arbitrary command. The issue is due to the "whois.cgi" script not properly sanitizing shell metacharacters in the domain entry field. By sending a specially crafted domain request, a remote attacker can run any command on the system with the same privileges as the CGI program.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Ranson Johnson

Whois Internic Lookup

2.41

References

CVE ID: 1999-0983 (see also: NVD)
Bugtraq ID: 2000
ISS X-Force ID: 3798
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0279.html

Credit

hhp - hhphhp.perlx.com -

Direct URL: http://osvdb.org/36218