Detections
Analytics

eGroupWare spellchecker.php Arbitrary Shell Command Execution

high Nessus Plugin ID 45023

Language:

Synopsis

The remote web server contains a CGI script that can be abused to execute arbitrary commands.

Description

The version of eGroupWare hosted on the remote web server fails to sanitize user-supplied input to the 'aspell_path' and/or 'spellchecker_lang' parameters of the 'spellchecker.php' script before passing it to a shell.

An unauthenticated, remote attacker can leverage these issues to execute arbitrary commands subject to the privileges under which the web server operates.

Note that the install likely has a cross-site scripting vulnerability, although Nessus has not checked for this.

Solution

Upgrade to eGroupWare 1.6.003 / eGroupWare version EPL 9.1.20100309 / 9.2.20100309 or later.

See Also

http://www.cybsec.com/vuln/cybsec_advisory_2010_0303_egroupware_.pdf

http://www.egroupware.org/news?category_id=95&item=93

Plugin Details

Severity: High

ID: 45023

File Name: egroupware_spellchecker_cmd_exec.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 3/10/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:egroupware:egroupware

Required KB Items: www/egroupware

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/9/2010

Vulnerability Publication Date: 3/9/2010

Reference Information

CVE: CVE-2010-3313

BID: 38609, 38794

SECUNIA: 38859