06/29/2004
 
ZH2004-15SA (security advisory): I-Mall Commerce i-mall.cgi Remote Arbitrary Command Execution Vulnerability

Published: 29 06 2004

Released: 29 06 2004

Name: I-Mall

Affected Systems: All version

Issue: Remote Arbitrary Command Execution

Author:

SPAX and z\ of ZetaLabs, Zone-h Laboratories - www.zone-h.org

SPAX@zone-h.org - z@zone-h.org - zetalabs@zone-h.org


Description

***********
object i-mall.cgi
class Input Validation Error

I-Mall Commerce is a cgi based online shopping suite in Korean language.
A remote command execution vulnerability has been discovered in the I-Mall CGI Application by ZetaLabs, Zone-H Laboratories.
This issue occurs due to insufficient sanitization of externally supplied data to the i-mall.cgi script that allows a remote user to pass an arbitrary shell command which will be executed by the script. An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.

This vulnerability has been reported to affect all version of I-Mall.

The following exploit is provided

http://www.zone-h.org/download/file=5233/