'The Finger Server' is a perl script for providing .plan-like functionality through a website. Due to insufficient input checking it is possible for remote unauthenticated users to execute shell commands on the server which will run with the priveleges of the webserver.
A request like:
(split for readability)
will cause the server to execute whatever command is specified.
The Finger Server Shell Metacharacter Arbitrary Command Execution
Remote / Network Access
Loss of Integrity
Finger Server contains a flaw that may allow a malicious user to execute arbitrary shell command. The issue is due to the insufficient input check on "open()" in a perl script. By sending a specially crafted request, a remote attacker can run any shell commands under privileges of the webserver, resulting in a loss of confidentiality, integrity, and/or availability.
Upgrade to version 0.84BETA or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.