Title: cgiCentral WebStore Arbitrary Command Execution Vulnerability
Severity: HIGH
Description:
cgiCentral's Webstore is an shopping cart application which processes and manages online purchases.
A script that is included with WebStore, 'ws_mail.cgi', is subject to a vulnerability which can be exploited by a privileged remote attacker.
'ws_mail.cgi' calls system() with user-supplied data in the command string. Because it does not filter metacharacters out of the user-supplied data, it is possible for administrators to execute arbitrary commands on webserver hosts.
When the 'terminate' HTML variable is passed to 'ws_mail.cgi', system() is used to execute the 'kill' command argumented with the value of the HTML variable 'kill'. A malicious user can modify the value of the HTML variable 'kill' so that it causes extra commands to be executed along with the utility 'kill'. This is possible because system() uses '/bin/sh' to parse the command string. Any metacharacters which exist in the command string will be interpreted by and acted upon by '/bin/sh'. An attacker may use this vulnerability to gain access to the webserver host.
It should be noted that administrative privileges in Webstore are required to exploit this vulnerability. Malicious administrators, who do not have access to the host serving the script, may use this vulnerability to gain access. If remote attackers can authenticate as administrators, they may also be able to exploit this vulnerability to gain access to the host. Bugtraq ID 2860 creates a condition where this may be possible.
Affected Products:
- cgiCentral WebStore 400 4.14.0
- cgiCentral WebStore 400CS 4.14.0
References:
- cgiCentral: cgiCentral Webpage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
