| VID |
21194 |
| Severity |
30 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "ustorekeeper.pl" CGI is installed. uStorekeeper is a complete e-commerce solution that provides all you need to create, operate, and maintain an online store.
Ustorekeeper.pl could allow a remote attacker to traverse directories on the Web server, due to insufficient checks performed on parameters passed to ustorekeeper.pl through the "command" argument. A remote attacker can send an HTTP GET request with "dot dot" sequences (/../) to traverse directories and gain read access to sensitive files on the Web server with the privileges of the http daemon (usually root or nobody).
* References:
http://www.uburst.com/uStorekeeper/index.html
http://www.securiteam.com/securitynews/5MP051P4AQ.html
http://online.securityfocus.com/bid/2536 |
| Recommendation |
Remove 'ustorekeeper.pl' from /cgi-bin or upgrade to the latest version. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
