Solaris AnswerBook2 Remote Command Execution Vulnerability

From the Bugtraq post:

One of the options you have while administering the AB2 is to rotate the
access and error logs. The server allows you to specify the target file
where the logs will be rotated to. You can use ../../../../../this/file to
create and overwrite files outside the web server document root directory.
Further investigation showed that the server performs the following command
to rotate the server logs:

sh -c "cp /var/log/ab2/logs/original_log
/var/log/ab2/logs/USER_PROVIDED_TARGET"

So an attacker could specify a destination log like "x ; uname -a" that will
translate to:

sh -c "cp /var/log/ab2/logs/original_log /var/log/abs/logs/x ; uname -a"


 

Privacy Statement
Copyright 2010, SecurityFocus