WEB-CGI calendar access

Trigger

An open source calendar perl script by Matt Kruse, Allows commands to be executed without input verification using the perl open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping 127.0.0.1|" in the configuration file field, this executes the command "ping 127.0.0.1"

Affected systems

Any web server running the application.

Scenario

An unauthenticated user can execute arbitrary programs on the server by accessing calendar_admin.pl and inputting commands such as "|mail /etc/passwd|" into the configuration file field.

Example

An access to http://www.somesite.com/js/calendar.js produces following alert:

[**] [1:882:6] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/19-14:16:04.858834 86.221.***.***:33985 -> 192.168.***.**:80
TCP TTL:56 TOS:0x0 ID:15232 IpLen:20 DgmLen:585 DF
***AP*** Seq: 0x7B385AAD  Ack: 0x1131057D  Win: 0xB3  TcpLen: 32
TCP Options (3) => NOP NOP TS: 944528 16344936

Snort-alerts/WEB-CGI-calendar-access

Contents

WEB-CGI calendar access

Trigger

Affected systems

Scenario

Example

Share your opinion

Navigation menu

Snort-alerts/WEB-CGI-calendar-access

WEB-CGI calendar access

Trigger

Affected systems

Scenario

Example

Share your opinion

Navigation menu

Search