gbook.cgi Remote Command Execution Vulnerability

Bill Hendrick's gbook.cgi is a guestbook script used by certain websites to log visitor names, comments and similar information.

Gbook.cgi fails to properly validate user-supplied input to the script's _MAILTO parameter. This allows a malicious user to append a ';' character to the definition of the _MAILTO field, followed by text containing malicious shell commands. These will be executed as the webserver, providing the attacker with an elevation of privileges, and, if properly exploited, allowing more serious compromises of the host system..


Privacy Statement
Copyright 2010, SecurityFocus