Mailnews.cgi Username Remote Shell Commands Vulnerability

Mailnews.cgi fails to check remote user-supplied input for shell metacharacters. A remote attacker can insert a new user to the mailnews' user file which includes malicious shell commands in the username field. Upon displaying this this data, the embedded commands will execute with the privileges of the webserver process.


 

Privacy Statement
Copyright 2010, SecurityFocus