Super Site Searcher远程可执行任意命令漏洞

Super Site Searcher远程可执行任意命令漏洞

漏洞ID 1106958 漏洞类型 输入验证
发布时间 2002-09-03 更新时间 2002-12-31
图片[1]-Super Site Searcher远程可执行任意命令漏洞-安全小百科CVE编号 CVE-2002-2420
图片[2]-Super Site Searcher远程可执行任意命令漏洞-安全小百科CNNVD-ID CNNVD-200212-303
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21768
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-303
|漏洞详情
SuperSiteSearcher是一款基于Web的搜索引擎系统。SuperSiteSearcher没有正确过滤用户提交的输入,远程攻击者可以利用这个漏洞以WEB权限在系统上执行任意命令。SuperSiteSearcher中的site_searcher.cgi脚本没有充分过滤用户提交给查询参数的转义字符,通过提交包含如”|”SHELL转义字符的任意命令,可导致命令直接传递给SHELL以Web权限执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/5605/info

Super Site Searcher is prone to remote command execution. Shell metacharacters are not adequately filtered from query string parameters in a request to the vulnerable search engine script. The parameters are then used in a function which passes commands directly through the shell.

A remote attacker may exploit this condition to execute arbitrary commands on the shell with the privileges of the webserver process.

Simple Site Searcher, released by the same vendor, is also prone to this issue. 

http://target/searchenginepath/site_searcher.cgi?page=|command|
|参考资料

来源:BID
名称:5605
链接:http://www.securityfocus.com/bid/5605
来源:SECTRACK
名称:1005190
链接:http://securitytracker.com/id?1005190
来源:NSFOCUS
名称:3453
链接:http://www.nsfocus.net/vulndb/3453

相关推荐: HP Remote Watch权限许可和访问控制漏洞

HP Remote Watch权限许可和访问控制漏洞 漏洞ID 1207634 漏洞类型 未知 发布时间 1996-10-01 更新时间 1996-10-01 CVE编号 CVE-1999-0246 CNNVD-ID CNNVD-199610-002 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享