VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 2, 2001· Updated Apr 16, 2026

CVE-2001-1130

CVE-2001-1130

Description

Sdbsearch.cgi in SuSE Linux 6.0-7.2 allows remote command execution via shell metacharacters in filenames uploaded in keylist.txt and a crafted HTTP referer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sdbsearch.cgi in SuSE Linux 6.0-7.2 allows remote command execution via shell metacharacters in filenames uploaded in keylist.txt and a crafted HTTP referer.

Vulnerability

The vulnerability resides in sdbsearch.cgi in SuSE Linux versions 6.0 through 7.2. The script processes a keylist.txt file that contains filenames. If an attacker can upload a keylist.txt file with filenames containing shell metacharacters (e.g., backticks, semicolons), and then cause the script to search that file by using a directory traversal (..) in the HTTP_REFERER variable, the metacharacters are interpreted by the shell, leading to command execution [1].

Exploitation

An attacker must first upload a malicious keylist.txt file to a directory accessible by the web server. Then, they send a request to sdbsearch.cgi with an HTTP Referer header containing ../ to point to that directory. The script reads the keylist.txt and passes filenames to a shell command, executing the embedded commands. No authentication is required; the attacker only needs network access to the web server.

Impact

Successful exploitation allows remote attackers to execute arbitrary commands on the server with the privileges of the web server process (typically wwwrun or similar). This can lead to full compromise of the system, including data theft, modification, or further attacks.

Mitigation

SuSE released an advisory (SuSE Security Announcement 2001:027) [1]. The fix involves upgrading sdbsearch.cgi or applying a patch. Users should update to a corrected version. As this is an old vulnerability, modern SuSE Linux versions are not affected. No workaround is provided in the reference.

References
  1. Security - Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • SUSE S.A./Linux6 versions
    cpe:2.3:o:suse:suse_linux:6.0:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:suse:suse_linux:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:7.2:*:*:*:*:*:*:*
  • Novell/Suse Linuxllm-fuzzy
    Range: 6.0-7.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The sdbsearch.cgi script uses data directly from the 'Referer' header as a path without proper sanitization, allowing for command injection."

Attack vector

An attacker must first create a malicious "keylist.txt" file containing shell metacharacters within filenames, for example, in the /tmp directory [ref_id=1]. The attacker then sends an HTTP request to the sdbsearch.cgi script, manipulating the 'Referer' header to include a path traversal sequence (e.g., "../../..") pointing to the directory containing the crafted "keylist.txt" file [ref_id=1]. This causes the script to interpret the malicious filenames as commands when attempting to open the "keylist.txt" file [ref_id=1].

Affected code

The vulnerability resides in the sdbsearch.cgi script, specifically in how it processes the 'Referer' header field from HTTP requests. This header is used as a path to open the "keylist.txt" file, which is then processed by Perl's open() command [ref_id=1].

What the fix does

The patch is not available in the provided bundle. The advisory suggests that an input validation error exists in the sdbsearch.cgi script, which uses data directly from the 'Referer' header field as a path when opening its "keylist.txt" file [ref_id=1]. Without a patch, the vulnerability remains unaddressed.

Preconditions

  • inputThe attacker must be able to upload or create a file named "keylist.txt" on the vulnerable server, containing malicious filenames with shell metacharacters [ref_id=1].
  • networkThe attacker must be able to send HTTP requests to the vulnerable sdbsearch.cgi script.

Reproduction

Proof of concept is very simple, just create harmful keylist.txt for instance in /tmp directory and send request to http server like this: GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0 Referer: http://szachy.org/../../../../../tmp (very deep traversal because we don't know what is DOCUMENT_ROOT)

and an example content of our /tmp/keylist.txt create like this: $ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt

After successful attempt there will be "exploitable" file in /tmp directory. [ref_id=1]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.