| VID |
21040 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The '/cgi-bin/ews/ews/architext_query.pl' CGI is installed.
The CGI installed in Excite for Web Servers 1.1 or below has a vulnerability in the way it parses metacharacters passed to the shell that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). This vulnerability affects machines running EWS on both Windows NT and Unix.
* References:
http://www.iss.net/security_center/static/1418.php
http://www.cert.org/advisories/CA-1998-01.html |
| Recommendation |
Version 1.1 and newer are patched, but multiple versions of EWS have been shipped under the 1.1 version number, so version number alone is not indicative of a vulnerability. Restrict access to EWS on your web site until you can retrieve the latest version made available by Excite. |
| Related URL |
CVE-1999-0279 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
