[VIM] Pete Stein GoScript Remote Command Execution Vulnerability

Dinesh Theerthagiri Dinesh_Theerthagiri at symantec.com
Tue Dec 10 04:00:51 CST 2013


George,

We Updated BID: 10853 accordingly.

Monitorix technologies removed from this BID because information does not relate to this document.

Wrote different BID for Monitorix  64178.


Thanks,
T.Dinesh



-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
Sent: Thursday, December 05, 2013 8:18 AM
To: Vulnerability Information Managers
Subject: [VIM] Pete Stein GoScript Remote Command Execution Vulnerability

I notice that SecurityFocus updated BID 10853 yesterday to include Monitorix among the affected products, presumably based on <https://github.com/mikaku/Monitorix/issues/30>. That's incorrect. While our plugin that checks for the GoScript go.cgi code execution vulnerability does indeed flag Monitorix installs before 3.3.1, that application actually does not include the GoScript go.cgi and in fact the vulnerability arises because of the following code in the HTTP server itself :

        $target =~ s/^\///;                # removes leading slash
        $target_cgi =~ s/^\///;                # removes leading slash
        if($target_cgi eq "monitorix.cgi") {
                chdir("cgi");
                open(EXEC, "./$target_cgi |");
                @data = <EXEC>;
                close(EXEC);
        } elsif($target) {
                if(open(IN, $target)) {
                        @data = <IN>;
                        close(IN);
                }
        }

That is, it fails to sanitize the target_cgi value before using it in a Perl 'open()' call; even <http://example.com/some_nonexistent_url|id|> would work against it.


George
-- 
theall at tenable.com



More information about the VIM mailing list