Metacharacterbug in the Fastgraf whois.cgi perlscript
-----------------------------------------------------

Author        : Fastgraf (c) All rights reserved.
url           : http://www.fastgraf.com
realeasedate  : 03/01/99

Problem:
The whois.cgi script of Fastgraf has almost no metacharcterchecking
which enables attackers to execute commands as uid of the webserver.

The metacharcterbug in the script:

   $FORM{'host'} =~ s/(\;)//g;

As you can see only the ";" gets deleted. So attackers are still able
to use pipes, redirectioncharacters and so on.

Solution:

Change the filtering to:

   $FORM{'host'} =~ s/(\W)/\\$1/g;

The author has been notified to correct this problem.

Marco van Berkum

--
Sex is like hacking. You get in, you get out,
and you hope you didn't leave something behind
that can be traced back to you.

Marco van Berkum, System Operator/Security Analyst OBIT b.v.
RIPEHANDLE: MB17300-RIPE