HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
| Vendor | Product | Versions |
|---|---|---|
| perl | http::daemon | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| red hat | enterprise linux | cert_advisory | 90% |
Updated vendor to Red Hat, product to Red Hat Enterprise Linux, changed severity to HIGH, and marked exploit as available and actively exploited.
Updated severity to CRITICAL, marked as actively exploited, and added affected version 6.16.
Initial creation