| VID |
21034 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "day5notifier.cgi" CGI is installed in the web server. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody).
The handler program is a part of Outbox Environment Subsystem, IRIX, and installed as a default to every SGI system over IRIX 6.2. An old version of IRIX may have installed this package as an option.
* References:
http://bugacid.tripod.com/irix/httpd21.html
http://www.iss.net/security_center/static/3312.php |
| Recommendation |
Disable the CGI in the IRIX Outbox Environment Subsystem and download a patch from SGI and install it.
For disabling scripts follow this,
#/bin/chmod 400 / var/www/cgi-bin/day5notifier.cgi
(In case /var/www is a default install Patch)
# /usr/sbin/versions -v remove outbox (remove outbox subsystem) |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
