Arbitrary Command Execution via Unquoted Filenames in xloadimage and xli

Arbitrary Command Execution via Unquoted Filenames in xloadimage and xli

CVE-2005-0638 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.

Learn more about our Web Application Penetration Testing UK.