FreeBSD : p5-UI-Dialog -- shell command execution vulnerability (00dadbf0-6f61-11e5-a2a1-002590263bf5)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Matthijs Kooijman reports :

It seems that the whiptail, cdialog and kdialog backends apply some
improper escaping in their shell commands, causing special characters
present in menu item titles to be interpreted by the shell. This
includes the backtick evaluation operator, so this constitutes a
security issue, allowing execution of arbitrary commands if an
attacker has control over the text displayed in a menu.

See also :

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203667
https://rt.cpan.org/Public/Bug/Display.html?id=107364
https://bugs.debian.org/496448
http://www.nessus.org/u?ef8683ad
http://www.nessus.org/u?2de005c9

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 86334 ()

Bugtraq ID:

CVE ID: CVE-2008-7315

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now