FrSIRT - Fujitsu Siemens ServerView "Servername" Parameter Command Injection Vulnerability / Exploit (Security Advisories)

French Security Incident Response Team

French

English

Fujitsu Siemens ServerView "Servername" Parameter Command Injection Vulnerability

Title : Fujitsu Siemens ServerView "Servername" Parameter Command Injection Vulnerability
Advisory ID : FrSIRT/ADV-2007-2441
CVE ID : CVE-2007-3011
Rated as : High Risk

Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-05

Advisory Details

Description

Affected Products

Solution

References

Technical Description

A vulnerability has been identified in Fujitsu Siemens ServerView, which could be exploited by attackers to execute arbitrary code. This issue is caused by an input validation error in the "cgi-bin/ServerView/SnmpView/DBAsciiAccess" script that does not validate the "Servername" parameter of "Parameterlist", which could be exploited by attackers to inject and execute arbitrary shell commands with the privileges of the application.

Credits

Vulnerability reported by RedTeam Pentesting.

ChangeLog

2007-07-05 : Initial release

Vulnerability Management

Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.

Mailinglist

	Oracle Products Multiple Code Execution and Security Bypass Issues
	Oracle Products Command Execution and SQL Injection Vulnerabilities
	Oracle Products Multiple Code Execution and SQL Injection Vulnerabilities
	Oracle Database "PITRIG_DROPMETADATA" Buffer Overflow Vulnerability
	Oracle Products Multiple Code Execution and SQL Injection Vulnerabilities
	Oracle JInitiator ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
	Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities

	Microsoft Windows Kernel Local Integer Overflow Vulnerability
	Microsoft Windows Vista "WRITE_ANDX" Denial of Service Vulnerability
	Microsoft Office OneNote URL Code Execution (MS08-055)
	Microsoft GDI+ Multiple Code Execution Vulnerabilities (MS08-052)
	Microsoft Visual Studio "Msmask32" Code Execution Vulnerability
	Microsoft PowerPoint Command Execution Vulnerabilities (MS08-051)
	Microsoft Windows Messenger Data Disclosure (MS08-050)

	Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
	Apple TV Multiple File Processing Code Execution Vulnerabilities
	Apple Mac OS X Code Execution and Security Bypass Vulnerabilities
	Apple iPhone Code Execution and Security Bypass Vulnerabilities
	Apple QuickTime Multiple Remote Code Execution Vulnerabilities
	Apple iTunes Driver Integer Overflow Privilege Escalation Vulnerability
	Apple iPod touch Code Execution and Security Bypass Vulnerabilities