hi Vikas,
Was going through the code for webnocol.cgi and I came across this near
line 663,
if ($cmd) {
$cmd =~ s/DEVICE/$siteaddr/ ; # replace keyword with IP address
if (! open (CMD, "$cmd 2>&1 |") ) {
print "Command $cmd error <p>\n";
This portion replaces the keyword DEVICE with the $siteaddr posted by the
HTML form (lines 127) so a malicious user that knows a site is using
NOCOL, and that is unrestricted by .htaccess can cause a bit of a problem
by doing a POST with dangerous characters placed in the field 'siteaddr'.
A suggestion would be to do a
$siteaddr=~y/[a-zA-Z0-9_.\-]//cd;
prior to executing the diagnostic commands.
Comments are welcomed.
rgds,
Lim Fung
|