Signature Detail
Short Name |
HTTP:MISC:CVSTRAC-FILEDIFF-RCE |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
CVSTrac filediff Remote Command Execution |
Release Date |
2013/05/08 |
Update Number |
2261 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: CVSTrac filediff Remote Command Execution
This signature detects attempts to exploit a known vulnerability against CVSTrac web-based bug and patch-set tracking system for CVS. A successful attack can lead to arbitrary code execution.
Extended Description
CVSTrac is affected by a remote command execution vulnerability in the 'filediff' functionality. This issue is due to an input validation error that allows for the appending of shell commands. An attacker could leverage this issue to execute arbitrary shell commands on a vulnerable computer with the privileges of the web server process.
Affected Products
- CVSTrac 1.1.0
- CVSTrac 1.1.1
- CVSTrac 1.1.2
- CVSTrac 1.1.3
- OpenPKG 2.0.0
- OpenPKG 2.1.0
- OpenPKG Current
References
- BugTraq: 10878
- CVE: CVE-2004-1456