| VID |
21177 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "/cgi-bin/cgiforum.pl" CGI is installed. Markus Triska's CGIForum is a commercial CGI script used to create and manage Web-based message boards.
CGIForum version 1.0 could allow a remote attacker to traverse directories on the server, due to insufficient validation of user-supplied input to the "thesection" parameter. A remote attacker can submit a specially-crafted URL containing "dot dot" sequences (/../) to read arbitrary files on the server with the privileges of the http daemon (root or nobody). |
| Recommendation |
Download and install the latest version of CGIForum available from the following location: http://www.marcbrinkmann.de/inandonline/netz/CGIForum-1.01.tar.gz |
| Related URL |
CVE-2000-1171 (CVE) |
| Related URL |
1963 (SecurityFocus) |
| Related URL |
5553 (ISS) |
|
