| VID |
21169 |
| Severity |
30 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "auktion.cgi" CGI is installed. HIS Auktion is a CGI script for hosting and managing online auctions.
HIS Auktion version 1.62 could allow a remote attacker to traverse directories on the Web server, due to insufficient checks performed on parameters passed to auktion.cgi through the "menue" argument. A remote attacker can send an HTTP GET request with "dot dot" sequences (/../) to traverse directories and gain read access to sensitive files on the Web server with the privileges of the http daemon (usually root or nobody). |
| Recommendation |
No remedy available as of June 2014. Remove 'auktion.cgi' from /cgi-bin. |
| Related URL |
CVE-2001-0212 (CVE) |
| Related URL |
2367 (SecurityFocus) |
| Related URL |
6090 (ISS) |
|
