| VID |
21157 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "/cgi-bin/newsdesk.cgi" CGI is installed. Ibrow Newsdesk is a CGI script written in Perl that allows remote administration of news headlines on Web sites.
Newsdesk.cgi version 1.2 could allow a remote attacker to traverse directories on the Web server. An attacker can read arbitrary files with the privileges of the http daemon (usually root or nobody) by submitting a request containing "dot dot" sequences (/../) in the URL, and use this to post new news or upload HTML to the htdoc's directory. |
| Recommendation |
No upgrade or patch available as of June 2014. Upgrade to the latest version of Newsdesk, when it becomes available from the Ibrow Web site at the references. |
| Related URL |
CVE-2001-0231 (CVE) |
| Related URL |
2172 (SecurityFocus) |
| Related URL |
5898 (ISS) |
|
