CVE-1999-0936

Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to the survey.cgi script. This request includes a specially crafted input parameter containing shell metacharacters and the desired command to execute (e.g., id, whoami, or a reverse shell command).

Step 2: Input Processing: The survey.cgi script receives the malicious request and processes the input parameters. Due to the lack of proper input validation, the script directly incorporates the attacker-supplied input into a shell command without sanitization.

Step 3: Command Execution: The shell interprets the injected metacharacters as commands, executing them on the server. The attacker's command is executed with the privileges of the web server user.

Step 4: Result Retrieval (Optional): Depending on the command, the attacker may attempt to retrieve the results of the executed command, such as by redirecting the output to a file accessible via the web server or by establishing a reverse shell connection.

The vulnerability lies within the survey.cgi script's handling of user-supplied input. The script fails to properly sanitize or escape shell metacharacters within input parameters. This allows an attacker to inject malicious commands into the input, which are then executed by the underlying operating system's shell. The root cause is a lack of input validation and output encoding, specifically failing to escape or filter characters like ;, &, |, > and other shell metacharacters. This results in the execution of attacker-controlled commands.