Dream Catchers Book of Guests CGI Remote Arbitrary Command Execution Vulnerability

Dream Catchers Book of Guests CGI Remote Arbitrary Command Execution Vulnerability

Book of Guests is a CGI script used to maintain a web based guestbook.

The script fails to properly validate user-supplied CGI parameters, which are used to send email via a shell command. Maliciously formed URLs submitted to the script may contain shell commands which will be run with the privilege level of the webserver (ie 'nobody').