COMMAND

    KW Whois

SYSTEMS AFFECTED

    KW Whois 1.0

PROBLEM

    Mark  Stratman  found  following.   There  is  a  vulnerability in
    Kootenay Web Inc's KW Whois  v1.0 which allows malicious users  to
    execute commands as the uid/gid  of the webserver.  The  hole lies
    in unchecked user input via an  input form box.  The form  element
    <input type=text name="whois">  is not checked  by the script  for
    unsafe characters.

    Unsafe code:

        $site = $query->param('whois');
        ....
        $app = `whois $site`;
        print "$app .......

    Proof of concept:  Type ";id" (without the quotes) into the  input
    box.

SOLUTION

    Parse out  unsafe characters  in $query->param  with standard  cgi
    checking (see http://www.n3t.net/programming/).