PHPNetToolpack Remote Command Execution Vulnerability

info
discussion
exploit
solution
references

PHPNetToolpack Remote Command Execution Vulnerability

PHPNetToolpack provides a web interface for finger, whois and traceroute. It is written in PHP and will run on most Unix and Linux variants.

PHPNetToolpack does not adequately filter shell metacharacters (such as ;, |, etc.) from user-supplied input. As a result, it is possible for a remote attacker to execute arbitrary commands with the privileges of the webserver.