| VID |
21062 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The 'man.sh' CGI is installed.
The May 1998 issue of SysAdmin Magazine contains an article, "Web-Enabled Man Pages", which includes source code for very nice cgi script named man.sh to feed man pages to a web browser. The hypertext links to other man pages are an especially attractive feature.
Unfortunately, this script contains a vulnerability that would allow an attacker to remotely execute commands on a web server with the UID of the user running the httpd process.
* References:
http://www.iss.net/security_center/static/7328.php |
| Recommendation |
If it's not needed, remove the file from the CGI directory, or patch.
Author has been notified and has undertaken to replace the code posted on the www.samag.com website with corrected code. |
| Related URL |
CVE-1999-1179 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
