Linux Remote Command Execution Vulnerability

On November 30th 2009, an anonymous person published a method for dotDefender authenticated administrators to run limited shell commands using remote command execution via a POST parameter which has been successfully tested against dotDefender 3.X for Apache on Linux/UNIX platforms (http://www.securityfocus.com/archive/1/508124).



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

The Price of Ignoring SQL Injection Vulnerabilities

Research has shown that businesses just don’t take web application security seriously enough. For ... read more ...

Top Jordan website back up after hacking

AMMAN — Jordan's most popular news website, Ammonnews, said it was shut down ... read more ...

Microsoft confirms critical IE bug, works on fix

suggests using blocking tool, but does not plan to issue emergency patch ... read more ...

Yesterday, December 2nd 2009, Applicure issued a fix for this issue, available at http://www.applicure.com/downloads/misc/index1.tar.gz.

A simple extraction of index1.cgi and replacement of the existing file at: /usr/local/APPCure-full/lib/admin/index1.cgi shall suffice to harden the administrative console against this vulnerability.

Nevertheless, at no time have dotDefender users been under any type of threat due to the following:

  1. This vulnerability does not compromise the dotDefender Web Application Firewall
  2. A user must be logged into the administrative console, effectively possessing administrative privileges on the Web server itself
  3. The consequent freedom of action is restricted under the Apache process privileges

Applicure does not recommend that Web server administrators try the abovementioned attack on their dotDefender installation.

In any case, other, non-privileged users will not be able to execute this attack.

Applicure encourages security testers to report any vulnerability that may be found in its products in a formal appeal, acting responsibly and allowing at least a week's noticeto fix the vulnerability, as is customary in the information security community, before publishing it.

For any additional information or inquiries please contact Applicure support team.

Raviv Raz
Product Manager
Applicure Technologies
raviv_at_applicure_dot_com


Related Articles:

NetStrategies and Applicure Partnership
STI Group offering dotDefender
Applicure Unveils dotDefender v3.8

Applicure Technologies Ltd.

Products

Solutions

Connect with Applicure

Please Wait...