COMMAND

    whois.cgi, ping.cgi, traceroute.cgi and finger.cgi

SYSTEMS AFFECTED

    Fastgraf CGI colllection

PROBLEM

    Marco  van  Berkum  found  following.   The  whois.cgi  script  of
    Fastgraf  has   almost  no   metacharcterchecking  which   enables
    attackers  to  execute  commands  as  uid  of  the webserver.  The
    metacharcterbug in the script:

        $FORM{'host'} =~ s/(\;)//g;

    As you can see only the ";" gets deleted.  So attackers are  still
    able to use pipes, redirectioncharacters and so on.

    ping.cgi, traceroute.cgi and finger.cgi have the same bug.

SOLUTION

    Change the filtering to:

        $FORM{'host'} =~ s/(\W)/\\$1/g;

    The author has been notified to correct this problem.