PNGƒJƒEƒ“ƒ^+—pƒƒO‰ƒXƒNƒŠƒvƒg remote commands execution vulnerability Vendor URL : http://www.aurora.dti.ne.jp/~zom/Counter/ Vulnerability : Remote Command Execution Risk : High ================================================================== An attacker may exploit this vulnerability to execute commands on the remote host by adding special parameters to Kaiseki.cgi script. Problem: There is no filtering special character when open file in sub ReadLog. Vulnerable code : sub ReadLog { ....... ....... $imaLog = $$log; if(!open(IN, "./$main::logdir/$imaLog")) { ....... ....... } Fix : add : $$log =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go; before : $imaLog = $$log; if(!open(IN, "./$main::logdir/$imaLog")) { ..... } Example exploitasion : http://[target]/cgi-bin/kaiseki.cgi?file.exetension|command| or http://[target]/cgi-bin/kaiseki.cgi?|command| June 2005 : bug found July 7 2005 : vendor contact July 7 2005 : Vendor respon July 2005 : ---------- ================================================================== by blahplok