COMMAND

    MiniVend

SYSTEMS AFFECTED

    MiniVend 4.04

PROBLEM

    MiniVend version 4.04  and earlier come  with a sample  storefront
    which contains a vulnerable piece of code.  There are two  related
    issues which  together allow  for execution  of commands  with the
    privileges of the web server.  First, the file VIEW_PAGE.HTML does
    not parse input to check for a pipe as part of an input filename.

    Second, UTIL.PM uses the perl OPEN function in an insecure  manner
    to check for the existence of the file, allowing piped commands to
    be executed.

    This was discovered by Alexander Lazic as part of the OpenHack.com
    Hacking Challenge, and  discussed in an  article written July  10,
    2000 for ZDNet News.

SOLUTION

    Deleting  VIEW_PAGE.HTML  is  an  adequate  workaround  for   this
    problem.