| VID |
21042 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
There is ftp.pl CGI in the web server. This CGI helps to list the directory contents from the exterior.
For example, in case you request like this,
http://target/cgi-bin/ftp/ftp.pl?dir=../../../../../../etc
you can see the file list of "/etc" directory.
* References:
http://www.iss.net/security_center/static/2054.php
http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35 |
| Recommendation |
Remove the ftp.pl file from /cgi-bin directory
¡Ø refer to http://www.feartech.com/vv/ftp.shtml for Patch |
| Related URL |
CVE-1999-1081 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
