Published:2007/05/16  Last Updated:2008/05/21

JVN#81294906
Homepage Builder sample CGI programs vulnerable to OS command injection
Critical

Overview

Some of the CGI sample programs included in Homepage Builder provided by IBM Japan contains a vulnerability which may allow an attacker to inject an arbitrary OS command.

Products Affected

Servers deploying the sample CGI programs are affected.

  • Homepage Builder - 11
  • Homepage Builder - 10
  • Homepage Builder - 10 Lite
  • Homepage Builder - V9
  • Homepage Builder - V9 Lite
  • Homepage Builder - V8
  • Homepage Builder - V8 Lite
  • Homepage Builder - V7
  • Homepage Builder - V7 Lite
  • Homepage Builder V6.5 with HotMedia
  • Homepage Builder V6.5 with HotMedia Lite
  • Homepage Builder - V6
  • Homepage Builder - V6 Lite
  • Homepage Builder - 2001
  • Homepage Builder - 2000
  • Homepage Builder - V3
  • Homepage Builder - V2 Value Pack
According to the vendor, it is confirmed that vulnerable CGI sample programs are not included in the demo versions of each product.

Description

Among sample CGI programs included in Homepage Builder, anketo.cgi, kansou.cgi, and order.cgi contain an OS command injection vulnerability as they do not properly validate input data.

Impact

An arbitrary command could be executed on the web server with the privilege of the web server process.

Solution

Apply the Patch
Apply the patch named "HPBCGIFIX " or manually fix the CGI programs installed on the server by following the instructions provided by the vendor.
"HPBCGIFIX " fixes the CGI sample programs in the sample folder. CGI programs customized or copied to a user's folder must be manually fixed.

For more information, please refer to the vendor's website "How to fix sample CGI of Homepage Builder"

Vendor Status

Vendor Link
IBM Japan http://www.ibm.com/jp/software/internet/hpb/security/hpbcgifix_20070514/index.html
Fujitsu http://software.fujitsu.com/jp/security/vulnerabilities/jvn-81294906.html

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.05.16 Critical

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures

Credit

Yasufumi Kato reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports JPCERT-WR-2007-1901
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2007-000395

Update History