| VID |
21102 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "wrap" is installed.
Several programs provided with the Outbox Environment subsystem have been found to be insecure. These are the cgi-bin programs webdist.cgi, handler and wrap available for IRIX 5.x and 6.x. The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.
This issue has been publically disclosed and discussed in several public forums including the BUGTRAQ mailing list in addition to security advisories CERT CA-97.12 and AUSCERT AA-97.14
To determine if the Outbox software is installed on a particular system, the following command can be used:
% /usr/sbin/versions outbox.sw
* References:
http://www.securityfocus.com/bid/380
http://www.iss.net/security_center/static/290.php |
| Recommendation |
Solution A - Change program permissions.
(Log in as root on the vulnerable machine and type:)
# /bin/chmod 400 /var/www/cgi-bin/webdist.cgi
# /bin/chmod 400 /var/www/cgi-bin/handler
# /bin/chmod 400 /var/www/cgi-bin/wrap
Solution B - Removal the vulnerable outbox subsystem.
(Log in as root on the vulnerable machine and remove the outbox subsystem:)
# /usr/sbin/versions -v remove outbox
Solution C - Patch the program
Patches: Patches are available from ftp://sgigate.sgi.com/Patches for the following versions:
IRIX 5.3: #2315 available from ftp://sgigate.sgi.com/Patches/5.3/patch2315.tar
IRIX 6.0.x: Upgrade system or use temporary fix.
IRIX 6.1: Upgrade system or use temporary fix.
IRIX 6.2: #2314 available from ftp://sgigate.sgi.com/Patches/6.2/patch2314.tar
IRIX 6.3: #2338 available from ftp://sgigate.sgi.com/Patches/6.3/patch2338.tar
IRIX 6.4: #2338 available from ftp://sgigate.sgi.com/Patches/6.4/patch2338.tar |
| Related URL |
CVE-1999-0149 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
