Vulnerability

    WebWho+ (a whois cgi)

Affected

    Those using WenWho+ v1.1

Description

    Following is based on hhp-ADV#13.   WebWho+ v1.1 checks for  shell
    escape characters  in its  'command' parameter, but what keeps  us
    from changing the pre seleted, default TLD options.  WebWho+  v1.1
    does NOT  check for  shell espace   characters in  its 'type'(TLD)
    peremeter which is what is being exploited.

    The exploit is available to download via:

        http://hhp.perlx.com/ourexploits/hhp-webwho.pl

Solution
    Download a  secure, shell  espace character  parsing whois  common
    gateway interface from:

        http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Internet_Utilities/Whois/