Title: Gnatsweb Remote Command Execution Vulnerability
Severity: HIGH
Description:
Gnatsweb is a web-based interface to the GNU bug management system 'Gnats'. In recent versions of Gnatsweb, a new help system has been implemented. This help system contains a vulnerability that may allow attackers to gain access to the affected webserver.
The help file is specified by the value of the 'help_file' HTML variable. The remotely-supplied value of this variable is passed directly to the open() perl function.
This vulnerability is dangerous because remote attackers may be able to execute commands on the underlying host. This may be possible by placing a '|' character in the variable. This may cause the Perl interpreter to execute the argument to open() rather than read from it.
Remote attackers can also use '../' character sequences preceeding the file in 'help_file' to request an arbitrary file from outside of the 'webroot'. As though it were displaying a legitimate help file, the contents of the requested file are output to the browser.
This vulnerability could allow an attacker to gain 'local' access to the host. It is significantly easier to compromise the entire system if local access is obtained.
Affected Products:
- GNU Gnatsweb 2.7.0 beta
- GNU Gnatsweb 2.8.0
- GNU Gnatsweb 2.8.1
- GNU Gnatsweb 3.95.0 GNATS 4
References:
- GNU: Gnats Homepage
- GNU: Gnatsweb Security Advisory
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
