| VID |
21159 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "/technote/main.cgi" CGI is installed. TECH-NOTE is a popular Korean bulletin board software for Web sites. TECH-NOTE 2000 could allow a remote attacker to traverse directories on the Web server, due to a vulnerability in the main.cgi script. The main.cgi script fails to properly validate user-supplied input when calling the open() function. A remote attacker can send a specially-crafted URL containing "dot dot" sequences (/../) to traverse directories and read files on the Web server with the privileges of the http daemon (usually root or nobody). TECH-NOTE 2001 may also be vulnerable. |
| Recommendation |
No remedy available as of June 2014. Upgrade to the latest version of TECH-NOTE, when it becomes available from the Technote Web site at the references. |
| Related URL |
CVE-2001-0075 (CVE) |
| Related URL |
2156 (SecurityFocus) |
| Related URL |
5813 (ISS) |
|
