My client received the warning below from a security site scan. The site uses version v1.3.9h.
Are there any measures I can take to prevent this coming up as an issue?
Description:
The remote web server hosts cgi scripts that fail to adequately sanitize
request strings. By leveraging this issue, an attacker may be able
to execute arbitrary commands on the remote host.
See Also:
http://en.wikipedia.org/wiki/Code_injection
http://projects.webappsec.org/OS-Commanding
Risk Factor:
High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C/I
/A
)
Solution:
Restrict access to the vulnerable application. Contact the
vendor for a patch or upgrade.
Output:
Using the POST HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to arbitrary command execution :
/index.php?main_page=contact_us&action=send [contactname=echo%20NeS%20%2
0SuS]
-------- output --------
<label class="inputLabel" for="contactname">Full Name:</label>
<input type="text" name="contactname" value="echo NeS SuS" size=" [...]
<label class="inputLabel" for="email-address">Email Address:</label>
------------------------
Other references : CWE:78, CWE:77, CWE:20, CWE:74, CWE:713, CWE:722, CWE:727, CWE:741, CWE:751, CWE:801


/I
Reply With Quote
