search

erlyaws / yaws

Yaws webserver
https://erlyaws.github.io
BSD 3-Clause "New" or "Revised" License
1.29k stars 267 forks source link

http://yaws.hyber.org/ are vulnerable to unauthorized command injection #408

Closed 13ph03nix closed 4 years ago

13ph03nix commented 4 years ago

Yaws versions 1.81 to 2.0.7 are vulnerable to unauthorized command injection.

➜ curl -k -I http://yaws.hyber.org
HTTP/1.1 200 OK
Server: Yaws 2.0.6
Date: Thu, 10 Sep 2020 11:29:47 GMT
Content-Type: text/html

➜ python3 poc.py http://yaws.hyber.org 'netstat -tunlp'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      20767/perl
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7433/beam.smp
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      20971/master
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      9293/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      21014/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      20971/master
tcp        0      0 127.0.0.1:36841         0.0.0.0:*               LISTEN      7433/beam.smp
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      27396/mysqld
tcp6       0      0 ::1:783                 :::*                    LISTEN      20767/perl
tcp6       0      0 :::143                  :::*                    LISTEN      588/couriertcpd
tcp6       0      0 :::22                   :::*                    LISTEN      21014/sshd
tcp6       0      0 :::993                  :::*                    LISTEN      21085/couriertcpd
udp        0      0 127.0.0.53:53           0.0.0.0:*                           9293/systemd-resolv
udp        0      0 37.252.126.79:68        0.0.0.0:*                           9288/systemd-networ
udp6       0      0 fe80::21a:4aff:fee6:546 :::*                                9288/systemd-networ

For security purposes, proof of concept not attached, Please upgrade ASAP :)

vinoski commented 4 years ago

Thanks for the report, but the server yaws.hyber.org is no longer used by this project, nor is it under direct control of this project. Immediately after this issue was posted, I alerted the owner to update it.