| VID |
21818 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of ELOG which is older or as old as than version 2.6.0-beta4 is detected as installed on the host. ELOG is a freely available open-source Web-based logbook program. ELOG version 2.6.0-beta4 and earlier versions could allow a remote attacker to cause a denial of service and possibly execute arbitrary code, caused by multiple buffer overflow flaws in the cmd and the mode parameters. A remote, unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code on the affected system with the permissions of the user running the affected application.
* Note: This check solely relied on the version number of ELOG Web Logbook installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040301.html
http://secunia.com/advisories/18124/
http://www.frsirt.com/english/advisories/2005/3000
http://securitytracker.com/id?1015379
http://marc.theaimsgroup.com/?l=full-disclosure&m=113498708213563&w=2
* Platforms Affected:
ELOG version 2.6.0-beta4 and earlier versions
Linux Any version
Unix Any version |
| Recommendation |
No upgrade or patch available as of January 2006.
Upgrade to the latest version of ELOG, when new version fixed this problem becomes available from the ELOG Download Web page at http://midas.psi.ch/elog/download.html |
| Related URL |
CVE-2005-4439 (CVE) |
| Related URL |
15932 (SecurityFocus) |
| Related URL |
(ISS) |
|
