| VID |
21049 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The 'guestbook.pl' CGI is installed.
The guestbook CGI program contains a vulnerability that allows a remote attacker to execute arbitrary commands on a web server. This is present in Selena Sol's guestbook on servers with Server Side Includes enabled.
* References:
http://www.iss.net/security_center/static/321.php
http://www.extropia.com/scripts/guestbook_security.html |
| Recommendation |
If it's not needed, remove the file from the CGI directory, or fix as the following:
Solution A. Modify the guestbook.setup file, adding the word exec to the comma delimited @bad_words variable.
Solution B. Modify the guestbook.setup file so that the @allow_html variable is set to no. |
| Related URL |
CVE-1999-0237 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
