KW Whois Remote Command Execution Vulnerability

Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......

Proof of concept:
Type ";id" (without the quotes) into the input box.


 

Privacy Statement
Copyright 2010, SecurityFocus