| VID |
21114 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "FormHandler.cgi" cgi is installed.
This CGI can allow attackers to read all files on the server that the cgi script has read access to, including the /etc/passwd file. FormHandler supports the use of templates in e-mail messages that result from a form submission. An attacker could save the templates as files that reference absolute pathnames in the form document. Once an attacker clicks submit on the local form, the FormHandler cgi would e-mail the /etc/passwd file to the specified e-mail address. |
| Recommendation |
Remove the FormHandler.cgi file from / directory of the server. |
| Related URL |
CVE-1999-1050 (CVE) |
| Related URL |
798,799 (SecurityFocus) |
| Related URL |
3550 (ISS) |
|
