CVE-2004-2776

Step 1: Payload Delivery: The attacker crafts a malicious URL containing shell metacharacters within either the query string or the artarchive parameter of a request to go.cgi. For example, a crafted URL might include a command like & whoami; or | cat /etc/passwd.

Step 2: Request Processing: The web server receives the malicious request and passes it to the go.cgi script.

Step 3: Input Handling (Vulnerable Code): The go.cgi script retrieves the user-supplied input from the query string or artarchive parameter. Crucially, it does not sanitize or validate this input.

Step 4: Command Execution: The script then uses the unsanitized input to construct and execute a shell command. Because the input is unsanitized, the shell metacharacters are interpreted by the operating system's shell.

Step 5: Command Execution and Response: The attacker's injected commands are executed on the server. The output of these commands, or any errors, may be returned to the attacker, depending on the script's behavior and the commands executed.

The vulnerability stems from a lack of proper sanitization of user-supplied input passed to the go.cgi script, specifically within the query string and the artarchive parameter. The script directly passes these unsanitized inputs to shell commands, allowing attackers to inject shell metacharacters (e.g., ;, |, &, $()) to execute arbitrary commands. The root cause is the absence of input validation or output encoding before passing user-controlled data to the underlying operating system's shell. This failure to sanitize user input allows for command injection and subsequent remote code execution.