ID de Prueba:	1.3.6.1.4.1.25623.1.0.10383
Categoría:	Web application abuses
Título:	bizdb1-search.cgi located
Resumen:	One of the BizDB scripts, bizdb-search.cgi, passes a variable's; contents to an unchecked open() call and can therefore be made to execute commands at the privilege; level of the webserver.
Descripción:	Summary: One of the BizDB scripts, bizdb-search.cgi, passes a variable's contents to an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. Vulnerability Impact: The variable is dbname, and if passed a semicolon followed by shell commands they will be executed. This cannot be exploited from a browser, as the software checks for a referrer field in the HTTP request. A valid referrer field can however be created and sent programmatically or via a network utility like netcat. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2000-0287 BugTraq ID: 1104 http://www.securityfocus.com/bid/1104 Bugtraq: 20000412 BizDB Search Script Enables Shell Command Execution at the Server (Google Search) http://archives.neohapsis.com/archives/bugtraq/2000-04/0058.html XForce ISS Database: http-cgi-bizdb
Copyright	Copyright (C) 2000 Roelof Temmingh

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.