[VIM] Pete Stein GoScript Remote Command Execution Vulnerability

George Theall gtheall at tenable.com
Wed Dec 4 20:48:01 CST 2013


I notice that SecurityFocus updated BID 10853 yesterday to include Monitorix among the affected products, presumably based on <https://github.com/mikaku/Monitorix/issues/30>. That’s incorrect. While our plugin that checks for the GoScript go.cgi code execution vulnerability does indeed flag Monitorix installs before 3.3.1, that application actually does not include the GoScript go.cgi and in fact the vulnerability arises because of the following code in the HTTP server itself :

        $target =~ s/^\///;                # removes leading slash
        $target_cgi =~ s/^\///;                # removes leading slash
        if($target_cgi eq "monitorix.cgi") {
                chdir("cgi");
                open(EXEC, "./$target_cgi |");
                @data = <EXEC>;
                close(EXEC);
        } elsif($target) {
                if(open(IN, $target)) {
                        @data = <IN>;
                        close(IN);
                }
        }

That is, it fails to sanitize the target_cgi value before using it in a Perl ‘open()’ call; even <http://example.com/some_nonexistent_url|id|> would work against it.


George
-- 
theall at tenable.com



More information about the VIM mailing list