WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability

Date July 15, 2005

WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands execution vulnerability

Vendor URL : http://www.pcdoc24.de (vendor website seem down)
Vulnerability : Remote Command Execution
Risk : High

=================================
An attacker may exploit this vulnerability to execute commands on
the remote host by adding special parameters to wps_shop.cgi script.

Problem:

There is no filtering special character when open file in sub showartikel.
Vulnerable code :

###########
sub showartikel {
###########
cartfooter();
open(DATA, “$shopcatsdir/$info{‘cat’}/$info{‘art’}”);
lock(DATA);
…………………………………
…………………………………

}

Fix :

add :
$info{‘art’} =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:’”\\]//go;

before :
open(DATA, “$shopcatsdir/$info{‘cat’}/$info{‘art’}”);
}

Juni 2005 : bug found
Vendor website seem down and this hole not comfirmed to vendor
July 2005 : ———–

Category Posted in Exploits and Bugs

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>