WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability Vendor URL : http://www.pcdoc24.de (vendor website seem down) Vulnerability : Remote Command Execution Risk : High ================================================================== An attacker may exploit this vulnerability to execute commands on the remote host by adding special parameters to wps_shop.cgi script. Problem: There is no filtering special character when open file in sub showartikel. Vulnerable code : ########### sub showartikel { ########### cartfooter(); open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); lock(DATA); ....................................... ....................................... } Fix : add : $info{'art'} =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//go; before : open(DATA, "$shopcatsdir/$info{'cat'}/$info{'art'}"); } Juni 2005 : bug found Vendor website seem down and this hole not comfirmed to vendor July 2005 : ----------- ================================================================== SELAMAT ULANG TAHUN BUAT 'PRABA ALKAUSAR HG' SEMOGA BISA MENJADI MENUSIA BERGUNA... AMIENNN... bug found and reported by blahplok@xxxxxxxxx
