GoAhead web server remote code execution

Description
  • GoAhead is a tiny, embedded web server. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.

    GoAhead web server versions < 3.6.5 unsafely initialize the environment of forked CGI scripts using untrusted HTTP request parameters. All users who have CGI support enabled with dynamically linked executables (CGI scripts) are affected by this vulnerability. This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD.
Remediation
  • Upgrade to the latest version of GoAhead Web Server. This vulnerability was fixed in GoAhead Web Server version 3.6.5.
References