Vulnerabilities > CVE-2007-3572 - Remote Code Execution vulnerability in Yoggie Pico and Pico Pro Backticks
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Incomplete blacklist vulnerability in cgi-bin/runDiagnostics.cgi in the web interface on the Yoggie Pico and Pico Pro allows remote attackers to execute arbitrary commands via shell metacharacters in the param parameter, as demonstrated by URL encoded "`" (backtick) characters (%60 sequences). The vendor has addressed this issue through the release of the following product update: http://www.yoggie.com/supportcase.asp
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | Yoggie Pico and Pico Pro Backticks Remote Code Execution Vulnerability. CVE-2007-3572. Webapps exploit for cgi platform |
| id | EDB-ID:30260 |
| last seen | 2016-02-03 |
| modified | 2007-07-02 |
| published | 2007-07-02 |
| reporter | Cody Brocious |
| source | https://www.exploit-db.com/download/30260/ |
| title | Yoggie Pico and Pico Pro Backticks Remote Code Execution Vulnerability |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0020.html
- http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0092.html
- http://osvdb.org/37808
- http://secunia.com/advisories/25902
- http://www.securityfocus.com/bid/24743
- http://www.vupen.com/english/advisories/2007/2417
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35208