CVE-2008-0892: Input Validation
First published: Thu Mar 13 2008(Updated: )
Richard Megginson discovered a shell command injection flaw in the Admin Server's replication monitor CGI perl script repl-monitor-cgi.pl. Script parameters were not properly sanitized prior to being passed to system() function. An attacker able to access replication monitor CGI script could execute arbitrary shell command with privileges of Admin Server. Affected versions: - Red Hat Directory Server 7.1 - Admin Server runs with root privileges - Red Hat Directory Server 8 - Admin Server runs under an unprivileged user, following users by default: - nobody on Red Hat Enterprise Linux and Solaris - daemon on HP-UX - Fedora Directory Server - Admin Server runs under an unprivileged user, nobody by default
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Fedora Directory Server | ||
| Redhat Directory Server | =7.1 | |
| Redhat Directory Server | =8-el4 | |
| Redhat Directory Server | =8-el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=437301
- http://www.redhat.com/support/errata/RHSA-2008-0201.html
- http://secunia.com/advisories/29761
- http://www.redhat.com/support/errata/RHSA-2008-0199.html
- http://www.securityfocus.com/bid/28802
- http://www.securitytracker.com/id?1019856
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00380.html
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00386.html
- http://secunia.com/advisories/29826
- http://secunia.com/advisories/30114
- http://www.vupen.com/english/advisories/2008/1449/references
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01433676
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41840
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=302494
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=302494&action=edit
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/last-modified-date
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-0892
- vendor/redhat
- canonical/redhat fedora directory server
- canonical/redhat directory server
- version/redhat directory server/7.1
- version/redhat directory server/8-el4
- version/redhat directory server/8-el5