CVE-2017-17562

Agar CGI yoqilgan bo'lsa va CGI dasturi dinamik ravishda bog'langan bo'lsa, 3.6.5 dan oldin ushbu GoAhead ilovasi masofaviy kodni bajarishga imkon beradi. Bu cgi.c da cgiHandler funksiyasida ishonchsiz HTTP so'rov parametrlari yordamida forklangan CGI skriptlari muhitini ishga tushirish natijasidir. Glibc dinamik bog'lovchisi bilan birlashganda, bu xatti-harakatlar LD_PRELOAD kabi maxsus parametr nomlari yordamida masofaviy kodni bajarish uchun suiiste'mol qilinishi mumkin. Buzg'unchi o'zining umumiy ob'ekt yukini so'rovning asosiy qismiga POST qilishi va yana

CVSS Vector

Manbalar

• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
• http://www.securitytracker.com/id/1040702
• https://github.com/elttam/advisories/tree/master/CVE-2017-17562
• https://github.com/embedthis/goahead/commit/6f786c123196eb622625a920d54048629a7caa74
• https://github.com/embedthis/goahead/issues/249