CCBill whereami.cgi Arbitrary Command Execution Vulnerability

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • justsexxx
    Too lazy to set a custom title
    • Aug 2001
    • 13723

    #1

    CCBill whereami.cgi Arbitrary Command Execution Vulnerability

    Just found this...

    http://www.secunia.co.uk/advisories/9191/
    http://www.symantec.com/avcenter/sec...tent/8095.html

    THought let ya all know

    Andre
    Questions?

    ICQ: 125184542
  • Bucho
    Confirmed User
    • May 2003
    • 578

    #2
    thanks - had a bunch of those on my servers....wonder why those guys dont delete the files when they are done ?
    ICQ: 4646141

    Comment

    • justsexxx
      Too lazy to set a custom title
      • Aug 2001
      • 13723

      #3
      Originally posted by Bucho
      thanks - had a bunch of those on my servers....wonder why those guys dont delete the files when they are done ?
      No idea, No need to keep all those files there....The more useless files, the more change of having a vulnerability...

      Andre
      Questions?

      ICQ: 125184542

      Comment

      • s9ann0
        Confirmed User
        • Sep 2001
        • 4873

        #4
        wow a CCBIll security hole who would have thought it!

        Comment

        • BabeHunter
          Webmaster
          • Oct 2001
          • 4063

          #5
          thanks dude
          Yep

          Comment

          • justsexxx
            Too lazy to set a custom title
            • Aug 2001
            • 13723

            #6
            Originally posted by spanno
            wow a CCBIll security hole who would have thought it!
            Well don't know if it's their fault. I think they use it for the install...Don't know if they tell ppl to remove the file after the install...

            Anyway glad I could help a few ppl with this

            Andre
            Questions?

            ICQ: 125184542

            Comment

            • Mr.Fiction
              Confirmed User
              • Feb 2002
              • 9484

              #7
              Bumping this for anyone who hasn't seen it yet.
              Don't be lazy, protect free speech: ACLU | Free Speech Coalition | EFF | IMPA

              Comment

              • andi_germany
                Confirmed User
                • Oct 2002
                • 768

                #8
                What does this cgi do anyway? I don't have it on my ccbill sites at all.
                SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

                Comment

                • Mr.Fiction
                  Confirmed User
                  • Feb 2002
                  • 9484

                  #9
                  Originally posted by andi_germany
                  What does this cgi do anyway? I don't have it on my ccbill sites at all.
                  You checked in the ccbill install directory?

                  I believe that they use it for something during the setup process if CCBIll sets up your scripts.
                  Don't be lazy, protect free speech: ACLU | Free Speech Coalition | EFF | IMPA

                  Comment

                  • Shoplifter
                    Richest man in Babylon
                    • Jan 2002
                    • 5848

                    #10
                    I've posted recently about some serious vulnerabilities to the various postback scripts. The worst I have found is the AC Pay postback script, anyone can use this to create accounts. If you use it rename it immediately.

                    If these guys get your .htpasswd by this method you can expect hundreds of compromised accounts.

                    Pretty well any CGI that accepts parameters can be compromised.
                    I think the Ibill where.pl is ok as it does not take any input.
                    I Like Blondes

                    Comment

                    • andi_germany
                      Confirmed User
                      • Oct 2002
                      • 768

                      #11
                      Originally posted by Mr.Fiction


                      You checked in the ccbill install directory?

                      I believe that they use it for something during the setup process if CCBIll sets up your scripts.
                      I am not giving any passwords out to any biller therefore I have always installed the scripts myself. Sometime the additional work has to work out securitywise ;)
                      SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

                      Comment

                      • justsexxx
                        Too lazy to set a custom title
                        • Aug 2001
                        • 13723

                        #12
                        Originally posted by andi_germany
                        What does this cgi do anyway? I don't have it on my ccbill sites at all.
                        Only "old" installs of the CCbill script did have that file....

                        Andre
                        Questions?

                        ICQ: 125184542

                        Comment

                        • SpaceAce
                          Confirmed User
                          • Jul 2002
                          • 6493

                          #13
                          Originally posted by justsexxx
                          Just found this...

                          http://www.secunia.co.uk/advisories/9191/
                          http://www.symantec.com/avcenter/sec...tent/8095.html

                          THought let ya all know

                          Andre
                          You know, when I first saw this I checked a couple of my copies of whereami.cgi and I found nothing in them that takes any kind of parameter or executes any system command. What versions and/or dates is this supposed to apply to?

                          SpaceAce

                          Comment

                          Working...