eScan MWAdmin forgotpassword.php uname Parameter Arbitrary Command Execution

critical Nessus Plugin ID 45345

Synopsis

A PHP application hosted on the remote web server allows execution of arbitrary commands.

Description

The version of MicroWorld eScan MWAdmin hosted on the remote web server fails to properly sanitize input to the 'uname' parameter of the 'forgotpassword.php' script before using it when calling 'exec()'.

A remote attacker could exploit this to execute arbitrary commands on the system. These commands can be executed as root by using the 'runasroot' program, which is included with eScan.

Solution

There is no known solution at this time.

Plugin Details

Severity: Critical

ID: 45345

File Name: escan_mwadmin_forgotpw_cmd_injection.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 3/25/2010

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: www/escan_mwadmin

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/13/2010

Reference Information

BID: 38750

Secunia: 38910