CVE-2002-0094 in BSCWinfo

Summary

by MITRE

config_converters.py in BSCW (Basic Support for Cooperative Work) 3.x and versions before 4.06 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name during filename conversion.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/23/2025

The vulnerability identified as CVE-2002-0094 represents a critical command injection flaw within the BSCW collaborative work environment software. This issue specifically affects versions 3.x and earlier releases before 4.06, where the config_converters.py script fails to properly sanitize user-supplied input during file name conversion processes. The vulnerability stems from inadequate input validation mechanisms that allow malicious actors to inject shell metacharacters directly into file names, thereby enabling unauthorized command execution on the affected system. This represents a classic command injection vulnerability that can be exploited to gain arbitrary code execution privileges.

The technical exploitation of this vulnerability occurs when an attacker submits a specially crafted filename containing shell metacharacters such as semicolons, ampersands, or backticks during the conversion process. The config_converters.py script processes these filenames without proper sanitization, leading to the execution of unintended shell commands with the privileges of the BSCW service account. This flaw operates at the application level and can be leveraged by remote attackers without requiring authentication, making it particularly dangerous for publicly accessible collaborative platforms. The vulnerability directly maps to CWE-78, which describes improper neutralization of special elements used in OS commands, and aligns with ATT&CK technique T1059.001 for command and script injection.

The operational impact of this vulnerability extends beyond simple command execution to encompass complete system compromise and potential data exfiltration. An attacker could leverage this vulnerability to install backdoors, modify system configurations, access sensitive user data, or establish persistent access to the compromised environment. Given that BSCW is designed for collaborative work environments, the attack surface includes all users who might upload files through the platform, potentially affecting organizations with extensive collaborative workflows. The vulnerability also poses significant risk to network infrastructure as it could enable lateral movement within compromised networks, especially if the BSCW system has access to other internal resources.

Organizations affected by this vulnerability should implement immediate mitigations including upgrading to BSCW version 4.06 or later, which contains the necessary input validation fixes. Additionally, network segmentation and access controls should be implemented to limit exposure of the vulnerable system to untrusted networks. Input validation measures such as proper escaping of shell metacharacters, implementation of allowlists for acceptable filename characters, and comprehensive sanitization of user-supplied data should be enforced at multiple layers of the application architecture. System administrators should also monitor for suspicious file upload activities and implement intrusion detection systems to identify potential exploitation attempts. The remediation process should include thorough testing of the updated software to ensure that the vulnerability is completely resolved while maintaining existing functionality for legitimate users.

Disclosure

03/25/2002

Moderation

accepted

Entry

VDB-17991

CPE

ready

EPSS

0.03287

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!