Signature Detail

HTTP: dcforum.cgi AZ Field Remote Execution

This signature detects shell attempts to exploit the dcforum.cgi script in DCScripts DC Forum (all versions), which is used to manage Web-based discussion boards. Attackers can use maliciously crafted URL requests with the pipe and newline characters to execute arbitrary scripts on the Web server.

Extended Description

DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums. All versions of DCForum are vulnerable to remote execution of arbitrary commands. DCForum fails to properly validate user-supplied input to the script. By inserting shell commands in submitted querystrings, an attacker can cause the script to open and parse commands in an external file on the target system. By supplying a long path (containing '/../' sequences) an attacker can force the script to open a file from arbitrary locations on the filesystem. Commands in this file will be executed with the privilege level of the webserver - usually 'nobody'.

Affected Products

• DC Scripts DCForum 1.0.0
• DC Scripts DCForum 2.0.0
• DC Scripts DCForum 3.0.0
• DC Scripts DCForum 4.0.0
• DC Scripts DCForum 5.0.0
• DC Scripts DCForum 6.0.0
• DC Scripts DCForum 2000 1.0.0

References

• BugTraq: 2611
• CVE: CVE-2001-0436