ePerl Handling of ISINDEX Query 漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105367 漏洞类型 输入验证
发布时间 1998-07-06 更新时间 2005-05-02
CVE编号 CVE-1999-1437 CNNVD-ID CNNVD-199807-007
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199807-007
|漏洞详情
ePerl2.2.12中存在漏洞,远程攻击者通过指定目标文件的一个完整的路径名作为bar.phtml的一个参数读取任意文件,并且可能执行某些命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/151/info

A bug exists in ePerl's handling of the ISINDEX queries. When ISINDEX is used, the query is passed on the command line by the web server. This would allow an attacker to execute arbitrary code via the ePerl interpreter, with none of the restrictions enforced normally. In addition, this allows for the execution of any code on the file system.

1) Place perl code on filesystem. This could be done via a writeable directory on anonymous ftp.
2) Determine (or guess) the path to the code to be executed.
3) Run code via an appropriate cgi-bin program:
http://foo.com/some/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
|参考资料

来源:BUGTRAQ
名称:19980710ePerlSecurityUpdateAvailable
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525927&w=2
来源:BUGTRAQ
名称:19980707ePerl:badhandlingofISINDEXqueries
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525890&w=2
来源:BID
名称:151
链接:http://www.securityfocus.com/bid/151