Dream Catchers Book of Guests CGI Remote Arbitrary Command Execution Vulnerability

Book of Guests is a CGI script used to maintain a web based guestbook.

The script fails to properly validate user-supplied CGI parameters, which are used to send email via a shell command. Maliciously formed URLs submitted to the script may contain shell commands which will be run with the privilege level of the webserver (ie 'nobody').


 

Privacy Statement
Copyright 2010, SecurityFocus