| VID |
21175 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "calendar_admin.pl" cgi is installed.
Matt Kruse's Calendar CGI package is a free tool that implements a web based calendar system. The calendar.pl and calendar_admin.pl CGI scripts fail to strip shell metacharacters from the 'config' parameter which is then insecurely used to call the Perl open() function. These CGIs have a security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). |
| Recommendation |
Upgrade to the the latest version of Matt Kruse's Calendar, available from the Calendar web site. See References. |
| Related URL |
CVE-2000-0432 (CVE) |
| Related URL |
1215 (SecurityFocus) |
| Related URL |
4464 (ISS) |
|
