Details of VAR-200208-0198

ID

VAR-200208-0198

CVE

CVE-2002-0488

TITLE

Linux Directory Penguin Traceroute Remote command execution vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200208-005

DESCRIPTION

Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. Penguin traceroute.pl is a freely available, open source script for tracing network hops from a web server. It is distributed by Linux Directory. The Penguin traceroute script does not adequately filter special characters. This makes it possible for a remote user to embed commands into a request using special characters such as the ';' or '|' characters. The embedded command would be executed with the permissions of the web browser. Penguin traceroute.pl is a program implemented by perl language to provide routing trace function under WEB interface, developed and maintained by Linux Directory. Penguin traceroute.pl does not adequately filter the input when executing the traceroute program, allowing attackers to execute arbitrary commands with httpd privileges. An attacker can enter the metacharacter \";\" and then append any command, which will cause the attacker to execute any command with httpd authority

Trust: 1.26

sources: NVD: CVE-2002-0488 // BID: 4332 // VULHUB: VHN-4881

AFFECTED PRODUCTS

vendor:	linux directory penguin	model:	traceroute	scope:	eq	version:	1.0	Trust: 1.6
vendor:	linux	model:	directory penguin traceroute	scope:	eq	version:	1.0	Trust: 0.3

sources: BID: 4332 // CNNVD: CNNVD-200208-005 // NVD: CVE-2002-0488

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2002-0488
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-200208-005
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-4881
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2002-0488
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-4881
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-4881 // CNNVD: CNNVD-200208-005 // NVD: CVE-2002-0488

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2002-0488

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200208-005

TYPE

unknown

Trust: 0.6

sources: CNNVD: CNNVD-200208-005

EXTERNAL IDS

db:	BID	id:	4332	Trust: 2.0
db:	NVD	id:	CVE-2002-0488	Trust: 1.7
db:	CNNVD	id:	CNNVD-200208-005	Trust: 0.7
db:	XF	id:	8600	Trust: 0.6
db:	BUGTRAQ	id:	20020321 PHP SCRIPT: PENGUIN TRACEROUTE, REMOTE COMMAND EXECUTION	Trust: 0.6
db:	VULHUB	id:	VHN-4881	Trust: 0.1

sources: VULHUB: VHN-4881 // BID: 4332 // CNNVD: CNNVD-200208-005 // NVD: CVE-2002-0488

REFERENCES

url:	http://www.securityfocus.com/bid/4332	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/263285	Trust: 1.7
url:	http://www.linux-directory.com/scripts/traceroute.pl	Trust: 1.7
url:	http://www.iss.net/security_center/static/8600.php	Trust: 1.7
url:	http://www.linux-directory.com/scripts/traceroute.shtml	Trust: 0.3

sources: VULHUB: VHN-4881 // BID: 4332 // CNNVD: CNNVD-200208-005 // NVD: CVE-2002-0488

CREDITS

paul jenkins※ jenkins@securityfreaks.com

Trust: 0.6

sources: CNNVD: CNNVD-200208-005

SOURCES

db:	VULHUB	id:	VHN-4881
db:	BID	id:	4332
db:	CNNVD	id:	CNNVD-200208-005
db:	NVD	id:	CVE-2002-0488

LAST UPDATE DATE

2025-04-03T22:30:55.385000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-4881	date:	2008-09-05T00:00:00
db:	BID	id:	4332	date:	2002-03-21T00:00:00
db:	CNNVD	id:	CNNVD-200208-005	date:	2006-09-22T00:00:00
db:	NVD	id:	CVE-2002-0488	date:	2025-04-03T01:03:51.193

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-4881	date:	2002-08-12T00:00:00
db:	BID	id:	4332	date:	2002-03-21T00:00:00
db:	CNNVD	id:	CNNVD-200208-005	date:	2002-03-21T00:00:00
db:	NVD	id:	CVE-2002-0488	date:	2002-08-12T04:00:00