Main
Vulnerability Database
Exploits
ID:8866 - Exploit for Remote code execution in GoAhead - CVE-2017-17562
ID:8866 - Exploit for Remote code execution in GoAhead - CVE-2017-17562
Published: February 23, 2023
Vulnerability identifier: #VU9817
Vulnerability risk: High
CVE-ID: CVE-2017-17562
CWE-ID: CWE-20
Exploitation vector: Remote access
Vulnerable software:
GoAhead
GoAhead
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error in the cgiHandler function when CGI is enabled and a CGI program is dynamically linked. A remote attacker can make untrusted HTTP request parameters containing shared object payload in the cgiHandler function in cgi.c, allocate an array of pointers for the envp argument of the new process, initialize the environment of forked CGI scripts and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to an error in the cgiHandler function when CGI is enabled and a CGI program is dynamically linked. A remote attacker can make untrusted HTTP request parameters containing shared object payload in the cgiHandler function in cgi.c, allocate an array of pointers for the envp argument of the new process, initialize the environment of forked CGI scripts and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 3.6.5.