PWC.CGI Syslog Format String Vulnerability

A remote format string vulnerability exists in pwc.cgi, a script designed to permit administrators to change user passwords remotely via a browser.

Due to a failure to properly validate user-supplied input argumenting a call to syslog(), it is possible for a remote attacker to supply malicious input to the script which contains hostile shellcode. Properly exploited, the supplied code will execute with the privilege level of the webserver process.


Privacy Statement
Copyright 2010, SecurityFocus