Albatross context.py command execution

albatross-context-command-execution (24130) The risk level is classified as MediumMedium Risk

Description:

Albatross could allow a remote attacker to execute arbitrary commands on the system, caused by a vulnerability in the context.py script. The context.py script fails to properly validate user-supplied input, which could be exploited by a remote attacker to execute arbitrary commands on the system using a malicious template file.

Platforms Affected:

  • Debian, Debian Linux 3.1
  • Object Craft, Albatross 1.32 and prior

Remedy:

Upgrade to the latest version of Albatross (1.33 or later), available from the Object Craft Web site. See References.

For Debian GNU/Linux 3.1:
Refer to DSA-942-1 for upgrade information. See References.

Consequences:

Gain Access

References:

  • Object Craft Web site, Albatross - a Toolkit for Stateful Web Applications at http://www.object-craft.com.au/projects/albatross/download.html.
  • BID-16252: Albatross Remote Arbitrary Code Execution Vulnerability
  • CVE-2006-0044: Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the handling of submitted form fields.
  • DSA-942: albatross -- design error
  • OSVDB ID: 22451: Albatross Template Manipulation Arbitrary Command Execution
  • SA18457: Albatross Arbitrary Command Execution Vulnerability
  • VUPEN/ADV-2006-0196: Albatross Parameters Handling Remote Command Execution Vulnerability

Reported:

Jan 16, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page