CVE-2017-17562

Name of the Vulnerable Software and Affected Versions Embedthis GoAhead versions prior to 3.6.5

Description The issue is related to the initialization of the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function. This can be abused for remote code execution when combined with the glibc dynamic linker, using special parameter names such as LD PRELOAD. An attacker can send a shared object payload in the body of a request and reference it using /proc/self/fd/0. The vulnerability allows a remote attacker to execute arbitrary code by sending a specially crafted HTTP request that includes parameters with the "LD " prefix, which are used to create environment variables.

Recommendations For Embedthis GoAhead versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue. As a temporary workaround, consider disabling the cgiHandler function or restricting the use of dynamically linked CGI programs until a patch is available. Additionally, restrict access to the LD PRELOAD parameter to minimize the risk of exploitation.