[VIM] Pete Stein GoScript Remote Command Execution Vulnerability
George Theall
gtheall at tenable.com
Tue Dec 10 06:00:03 CST 2013
On Dec 10, 2013, at 5:00 AM, Dinesh Theerthagiri <Dinesh_Theerthagiri at symantec.com> wrote:
> George,
>
> We Updated BID: 10853 accordingly.
>
> Monitorix technologies removed from this BID because information does not relate to this document.
>
> Wrote different BID for Monitorix 64178.
Dinesh, the description in the new BID talks about the go.cgi script - "Specifically, this issue affects the 'go.cgi' script.”. The Monitorix code doesn’t actually have that script — see my earlier response about why the vulnerability arises.
>
>
> Thanks,
> T.Dinesh
>
>
>
> -----Original Message-----
> From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
> Sent: Thursday, December 05, 2013 8:18 AM
> To: Vulnerability Information Managers
> Subject: [VIM] Pete Stein GoScript Remote Command Execution Vulnerability
>
> I notice that SecurityFocus updated BID 10853 yesterday to include Monitorix among the affected products, presumably based on <https://github.com/mikaku/Monitorix/issues/30>. That's incorrect. While our plugin that checks for the GoScript go.cgi code execution vulnerability does indeed flag Monitorix installs before 3.3.1, that application actually does not include the GoScript go.cgi and in fact the vulnerability arises because of the following code in the HTTP server itself :
>
> $target =~ s/^\///; # removes leading slash
> $target_cgi =~ s/^\///; # removes leading slash
> if($target_cgi eq "monitorix.cgi") {
> chdir("cgi");
> open(EXEC, "./$target_cgi |");
> @data = <EXEC>;
> close(EXEC);
> } elsif($target) {
> if(open(IN, $target)) {
> @data = <IN>;
> close(IN);
> }
> }
>
> That is, it fails to sanitize the target_cgi value before using it in a Perl 'open()' call; even <http://example.com/some_nonexistent_url|id|> would work against it.
>
>
> George
> --
> theall at tenable.com
>
George
--
theall at tenable.com
More information about the VIM
mailing list