I-Mall Commerce is susceptible to remote arbitrary command execution due to a lack of variable sanity checking.
cd734bed599af590e464cefdd5cc450f07f8a31d358c4f4b7e79813d99e7670e 06/29/2004
ZH2004-15SA (security advisory): I-Mall Commerce i-mall.cgi Remote Arbitrary Command Execution Vulnerability
Published: 29 06 2004
Released: 29 06 2004
Name: I-Mall
Affected Systems: All version
Issue: Remote Arbitrary Command Execution
Author:
SPAX and z\ of ZetaLabs, Zone-h Laboratories - www.zone-h.org
SPAX@zone-h.org - z@zone-h.org - zetalabs@zone-h.org
Description
***********
object i-mall.cgi
class Input Validation Error
I-Mall Commerce is a cgi based online shopping suite in Korean language.
A remote command execution vulnerability has been discovered in the I-Mall CGI Application by ZetaLabs, Zone-H Laboratories.
This issue occurs due to insufficient sanitization of externally supplied data to the i-mall.cgi script that allows a remote user to pass an arbitrary shell command which will be executed by the script. An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
This vulnerability has been reported to affect all version of I-Mall.
The following exploit is provided
http://www.zone-h.org/download/file=5233/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed