|
Family: CGI abuses --> Category: attack
HAMweather daysonly Arbitrary Code Execution Vulnerability Vulnerability Scan
Vulnerability Scan Summary Executes arbitrary command via HAMweather
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains an application that allows execution of
arbitrary code.
Description :
The remote host is running HAMweather, a weather-forecasting software
application.
The installed version of HAMweather fails to properly sanitize input
to the 'daysonly' parameter before using it to evaluate PHP or Perl
code. An unauthenticated attacker can leverage this issue to execute
arbitrary code on the remote host subject to the rights of the web
server user id.
See also :
http://www.gulftech.org/?node=research&article_id=00115-09302006
http://support.hamweather.com/viewtopic.php?t=6548
Solution :
Upgrade to HAMweather 3.9.8.2 Perl/ASP or HAMweather 3.9.8.5 PHP or
later.
Threat Level:
High / CVSS Base Score : 7
(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|