There is a vulnerability in Kootenay Web Inc's KW Whois v1.0 which allows
malicious users to execute commands as the uid/gid of the webserver.
The hole lies in unchecked user input via an input form box.
The form element is not checked by the
script for unsafe characters.
$site = $query->param('whois');
$app = `whois $site`;
print "$app .......
Proof of concept:
Type ";id" (without the quotes) into the input box.
Mark Stratman (count0)