Index:
a1stats |
admin.php |
aglimpse |
AnyForm |
AnyForm2 |
args.cmd |
AspUpload |
basilix.php3 |
bb-hostsvc.sh |
bb_smilies.php |
BBoardServlet |
bbs_forum.cgi |
book.cgi |
boozt |
cal_make.pl |
calendar_admin.pl |
campas |
case.filemanager.php |
catinfo |
ChangeAdminPassword |
check_me.mod.php |
chetcpasswd.cgi |
comment2.jse |
console.exe |
core.php |
count |
counterfiglet |
CSNews.cgi |
csvform.pl |
db.php |
dbconnect.inc |
directory.php |
directorypro.cgi |
dnstools.php |
exec.php3 |
ezhttpbench.php |
faxsurvey |
filemanager_forms.php |
formmail |
generate.cgi |
glimpse |
graph.php |
handler |
htgrep |
htmlscript |
htsearch |
ifx |
ikonboard.cgi |
imagemap.exe |
info2www |
infosrch.cgi |
iPlanet search |
jj |
JSP10Servlet |
logbook.pl |
mail |
mail/admin |
man-cgi |
mmstdod.cgi |
multihtml |
netauth.cgi |
network_query.php |
Network_Tools |
none.php |
normal_html.cgi |
nph-mr.cgi |
nslookup.pl |
opendir.php |
perl |
perl.exe |
pfdispaly |
PGPMail |
phf |
php |
php/php.exe |
phpMyAdmin/sql.php |
phpPgAdmin/sql.php |
phpping |
phprojekt |
Poll_It |
product.asp |
product.ast |
query |
r.cgi |
search.pl |
servlet/webacc |
shopping_cart.mdb |
shopplus.cgi |
source |
ssi |
SWEditServlet |
talkback.cgi |
tbl_copy.php |
textcounter |
traceroute.pl |
translations.php |
uploader.exe |
uploader.php |
uploadimage.php |
view_source |
viewcode.jse |
viewpage.php |
viewsrc.cgi |
vtopic |
w-agora |
WebAdmin.dll |
webdist |
webgais |
webplus |
websendmail |
webwho.pl |
whois.cgi |
win-c-sample.exe |
www-sql |
wx/s.dll |
YaBB.pl |
zml.cgi
webdist:
Resolution:
phf:
Vendor patches to protect against this vulnerability are available
from Silicon Graphics Inc., and they should be
applied as soon as possible. A workaround to this problem is to immediately
remove the execute permissions on the webdist.cgi program
to prevent its exploitation. If the Webdist software is not required, it
should be removed from the system entirely. You may read more about this
vulnerability in CERT
Advisory 97.12.
CVE 1999-0067
CAN 2000-1186
The phf cgi program comes with the
NCSA version 1.5 and Apache
1.03 web servers. There may be other distributions that also have
the phf cgi program in the cgi-bin directory.
There are two problems in phf . Firstly, the program relies on the escape_shell_cmd() function, which can allow execution of system commands (ex: cat /etc/password). Therefore, if a malicious user determines that the phf cgi is present on the system, he or she can execute commands which have the same privilege as the web server.
The second problem is a buffer overflow condition in the handling of the HTTP_X environment variable. By sending a specially crafted string to the server through this variable, an attacker could execute arbitrary code.
Resolution:
campas:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
CVE 1999-0146
The campas cgi program is installed with
older versions of the NCSA web server.
A malicious user may be able to execute commands with the same privilege
of the web server running.
Resolution:
handler:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
CVE 1999-0147
The handler cgi is part of the Outbox Environment
subsystem on IRIX
5.x and 6.x systems. The cgi can be manipulated to execute commands
at the privilege level of the web server.
Check to see if the Outbox system is on the system:
% /usr/sbin/versions outbox.sw I = Installed, R = Removed Name Date Description I outbox 03/23/97 Outbox Environment, 1.2 I outbox.sw 03/23/97 Outbox End-User Software, 1.2 I outbox.sw.outbox 03/23/97 Outbox Software Tools, 1.2 I outbox.sw.webdist 03/23/97 Web Software Distribution Tools, 1.2
Resolution:
There are patches available from SGI FTP
site.
You may also remove the Outbox subsystem if there is no need for it
being installed.
htmlscript:
Resolution:
php:
Upgrade to the newest version which can be found at the htmlscript.com
website.
CVE 1999-0058
The php is a NCSA
cgi enhancement. The cgi has a vulnerability that lets unauthorized
users view file on the system. The cgi works by sending the path
to the file as an argument to the cgi
http://hostname/cgi-bin/php.cgi?/look-at-this-file
The php.cgi will let the malicious user view any file that the web server has privilege to read.
Resolution:
The author has the following solution, in the php.h file add the line:
#define PATTERN_RESTRICT ".*\\phtml$"
that will restrict the php.cgi to viewing files with phtml as the extension.
The current version can be found http://www.vex.net/php.
For more details, see here.
count:
CVE 1999-0021
The count program is used to count the
number of times a particular web page has been accessed. In the program
there is "...insufficient bounds checking on arguments which are supplied
by users.." There is a possibility of overwrite the stack space and
execute commands. A malicious user can create a specific argument
to the count.cgi and force it to execute commands
with the permission of the web server privileges.
Resolution:
jj:
It is recommended to upgrade to the latest
version. An alternative to upgrading is to remove the execute permissions
from the cgi, however, this will cause the counter on the web page not
to work correctly. The rest of the web page should continue to look
the same. For more details, see the CERT advisory.
The version to at least upgrade to is 2.4.
CVE 1999-0260
jj is a demo cgi program. It does
not check user input to the /bin/mail program. Therefore, a malicious
your can have themselves sent the any output they wish to view. For
example, if the web server is running as root, they may mail themselves
the password file.
Resolution:
pfdispaly:
Since the program is a demo, it is recommend that it be removed from
the cgi-bin directory.
CVE 1999-0270
The pfdispaly (sic) cgi is part of the IRIS
Performer API Search Tool which is a web based search tool that comes
with the IRIX
6.2-6.4 operating system. The vulnerability could allow access to
files with the privileges of the user "nobody."
Resolution:
faxsurvey:
Change the permissions of the cgi: /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi
The permission should be -r-x------. BugTraq
has information about the pfdispaly vulnerability.
CVE 1999-0262
The faxsurvey could allow a malicious user
to execute any command they want at the privilege level of the http server.
The cgi is part of the HylaFAX package that can with S.u.S.E.
5.1 & 5.2. Older versions may also be vulnerable.
Resolution:
phprojekt:
There have been a variety of attempts made to fix the code in faxsurvey.cgi.
However, the best thing to do is remove it from the cgi-bin directory if
there is no need for the cgi.
5/3/02
PHProject versions prior to
3.2 contain a number of vulnerabilities, including:
Resolution:
filemanager_forms.php:
Upgrade
to PHProjekt 3.2 or higher.
3/22/02
CVE 2002-0451
PHProjekt version 3.1a (and 3.1) contains a bug in the filemanager_forms.php
script that would allow an attacker to redefine the 'lib_path' variable, thereby
including arbitrary PHP scripts for execution.
Resolution:
info2www:
Obtain an update from the vendor.
CVE 1999-0266
The info2www
cgi translates the Info Nodes that a user can view in Emacs, to HTML
on the fly. The script is written in perl
and can allow a malicious user to execute system commands at the privilege
level of the web server. Not all of the versions of info2www are
considered vulnerable. The way to determine if you have a vulnerable
script is to see if it at least has a version number and is greater than
version 1.1. If it does not have a version number, then it is most
likely vulnerable and if it is version 1.1, it is also vulnerable.
Resolution:
textcounter:
It is recommended that the script is updated to the latest, version
1.2. You can read about the vulnerability at BugTraq.
textcounter
is a perl script that displays a text
based number which is the number of visitors to the web page. The
counter needs to read, write, and create a file to store the number
of visitors. The vulnerability comes from a lack of a test for shell
metacharacters. A malicious user may be able to have perl
execute commands at the web server privilege. Check out BugTraq
to see more information on the vulnerability.
Resolution:
To fix the vulnerability add the line after line 91 (taken from BugTraq):
$count_page = "$ENV{'DOCUMENT_URI'}";
# the original 91 line ....
aglimpse/glimpse:
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;
# ADD THIS !!!!!
CVE 1999-0148
Glimpse is a search and
indexing tool. aglimpse/glimpse is an
interface to the Glimpse search
tool. The cgi is written in perl.
The vulnerability can allow access to the password by mailing a malicious
user the password file.
Resolution:
WebGais & websendmail:
GlimpseHTTP
is no longer available for updating, however, there is a new Glimpse interface
called WebGlimpse. It is recommended
that the system be updated with WebGlimpse.
CVE 1999-0176
CVE 1999-0196
WebGAIS is an interface to the Global
Area Intelligent Search (GAIS) index/search tool. The cgi can
be tricked to execute system commands with the privilege of the web server.
The websendmail is a cgi that comes with the WebGAIS
package. websendmail can be tricked to
send the password file to a malicious user because there is no check on
what type of characters are sent to the perl
cgi. Therefore, a given a certain set of metacharacters, a malicious
user may be able to have the cgi execute system commands with the privilege
of the web server.
Resolution:
perl/perl.exe:
The best thing to do is upgrade to the latest version of the WebGAIS
package. After getting the latest version, disable the websendmail
cgi that is included in the package.
CAN 1999-0509
Perl is an interpreted scripting
language. To execute the perl script, the interpreter is used and
the script is executed. However, the interpreter should not be in
the cgi-bin directory of the web server. If there is a perl interpreter
or a link to the interpreter, then a malicious user can do everything the
normal perl interpreter can do from the command
line.
Some very good rules to live by that have been found on the web:
Resolution:
www-sql:
Remove the links and binaries of the perl
interpreter from the cgi-bin directory.
The www-sql
cgi is designed to access a mysql
database through a http server and create a nice query result page.
Put simple, it generates HTML pages dynamically
from the output of the SQL server, the database. The problem that
occurs is that www-sql overrides .htaccess
restrictions.
.htaccess is a file that puts restrictions on directories for
Apache and NCSA
based web servers. You can read more about the problem at
BugTraq.
Resolution:
view_source:
It is recommended that the script is updated to the latest
version.
CVE 1999-0174
The cgi comes on the SCO Skunkware cdroms.
The cgi is to display documents, however, it does not check the arguments
correctly and therefore can show files with the privilege of the web server.
Resolution:
According to BugTraq
it is best to remove the cgi.
Whether any machines on your network are susceptible to this vulnerability
or not, you should consider taking this opportunity to examine your entire
httpd
configuration schemes. In particular, all CGI
programs that are not required should be removed, and all those remaining
should be examined for possible security vulnerabilities. It is also important
to ensure that all child processes of httpd are running
as a non privileged user. This is often a configurable option. See the
documentation for your httpd distribution for more details.
uploader.exe:
CVE 1999-0177
CAN 2000-0769
O'Reilley's web server Website contains a program called
uploader.exe, some versions of which allow any remote
user to upload arbitrary files anywhere on the server. This could be
used to upload executable files into the cgi-bin directory and run
them from the browser, thus allowing an attacker to execute arbitrary
commands on the server.
Resolution:
args.cmd:
Delete uploader.exe from the system. Use ftp
to upload files.
This script, found on Website web servers, echos parameters
without checking them for illegal characters. Arbitrary code could be
executed by passing it a parameter containing quote and newline characters.
Resolution:
win-c-sample.exe:
Delete args.cmd. It is provided as a sample program
and is not needed on an operational web server.
CVE 1999-0178
This script puts input parameters into a fixed-length string without
checking the length of the string, causing a buffer overflow condition.
This condition can be used to execute arbitrary code on the server.
Resolution:
product.asp, product.ast:
Delete win-c-sample.exe. It is provided as a sample
program and is not needed on an operational web server.
CVE 2000-0161
These scripts are sometimes found on Microsoft Site Server 3.0
(Commerce Edition) web servers. The first is part of the Volcano Coffee
sample site. The second is created by the Site Builder wizard. These
scripts accept user input which is put into an SQL query without any
validity checking. A malicious user could supply input which includes
arbitrary SQL commands to Read, Create, Modify, or Delete data.
Resolution:
htsearch:
Install a patch. See the
Microsoft Security Bulletin for patch information.
CVE 2000-0208
This is part of the htdig package. A remote user
can view any file on the system by passing the filename enclosed by
backticks to htsearch as an input parameter.
Versions of htdig prior to 3.1.4 and 3.2.0b1
are vulnerable.
10/12/01
CVE 2001-0834
A second problem results from the fact that htsearch
allows a remote user to pass command-line arguments to the
program from a web browser. By using the -c
(configuration file) command line option to refer to a special file
such as /dev/zero,
it is possible to cause the program to stall, resulting in
a denial of service. Furthermore, if the attacker is able
to upload or manipulate files on the server, such as a
Samba log file or a writeable anonymous FTP directory, the
attacker could create a specially crafted configuration
file which could be used to read aribtrary files on the server.
Resolution:
infosrch.cgi:
Upgrade to htdig 3.1.6 (release) or
3.2.0 beta 4 or higher, or install an updated package from
your vendor. Vendor updates are available from
Caldera,
Conectiva,
Debian,
SuSE, or
Mandrake.
If neither the new version nor a vendor update is available,
upgrade to 3.1.5 or 3.2.0 beta 3 and install one of the
patches posted to
Bugtraq.
CVE 2000-0207
This script, found on IRIX systems, allows man pages
and other documentation to be viewed over the web. It does not validate
the "fname" input parameter, which could allow an attacker to execute
arbitrary commands using special shell characters.
Resolution:
ChangeAdminPassword:
Remove or disable infosrch.cgi.
This script comes with Cart32, an E-commerce Shopping Cart package.
It allows the administrative password for the Shopping Cart application
to be changed without any knowledge of the previous one. Once the
password is set, it can be used to execute arbitrary commands using
a specially crafted URL.
Resolution:
calendar_admin.pl:
On Windows NT, change the permissions on c32web.exe so that it is only accessible
by administrators. On Windows 95 or 98, remove c32web.exe.
Alternatively, apply the patch developed by
L0pht.
CVE 2000-0432
Matt Kruse's calendar
script prior to version 2.2, and including
version 2.2 if downloaded before 5/17/2000, does not validate the input
provided by the user, thus allowing a remote attacker to issue arbitrary
commands with the privileges of the web server.
Resolution:
Download the latest version from
http://www.mattkruse.com/scripts/calendar, or make the following change to
both calendar.pl and calendar_admin.pl:
After the line:
&ReadParse;Insert the lines:
$in{config} =~ s|[^\s\w\.\/]||g;
$in{template} =~ s|[^\s\w\.\/]||g;
counterfiglet:
Resolution:
Poll_It:
The counter script is no longer supported. Delete the counter
script and all of the links to it. If the counter function is needed,
install any of the newer scripts which do the same thing.
CVE 2000-0590
Poll It is a script
for running online polls and displaying the results. By passing parameters
which overwrite the initial settings in the script, it is possible to
view any file on the system to which the http server has read access.
Resolution:
In the file cgi-bin/pollit/Poll_It_SSI_v2.0.cgi,
move the line:
%in = &ReadForm;above the local variable initializations, e.g. to line 66.
imagemap.exe:
Resolution:
Big Brother (bb-hostsvc.sh):
Remove imagemap.exe from the cgi-bin directory.
CVE 2000-0638
A vulnerability in Big Brother
could allow a remote attacker to read any file on the server
by exploiting the bb-hostsvc.sh script.
Resolution:
query:
The vulnerability in bb-hostsvc.sh can
be fixed by
upgrading to version 1.4h2 or higher.
CVE 2000-0039
The
AltaVista Search Engine has a vulnerability which could
allow a remote attacker to reconfigure the web server. The query
program allows files in the directory above it to be viewed. An
attacker could find encoded passwords in one of these files,
decrypt them, and use them to log into the online configuration
tool.
Resolution:
db.php:
Upgrade to the latest version of the
AltaVista Search Engine.
3/22/02
CVE 2002-0473
The db.php script of PHPBB2 CGI version 2.0 allows a remote attacker to
execute arbitrary commands by modifying the 'phpbb_root_path' URL parameter.
Resolution:
dbconnect.inc:
Download the latest version of PHPBB2.
CVE 2000-0707
This file, included with the PCCS MySQL Database Admin Tool,
reveals the plain text administrator password. The tool also
allows any remote user to administer the database.
Resolution:
netauth.cgi:
Secure the pccsmysqladm directory
through the web server.
CVE 2000-0782
Netauth is a web-based
e-mail management system. It is possible to view arbitrary files on the
system by supplying a specially crafted input parameter.
Resolution:
htgrep:
Download the latest version of
Netauth.
CAN 2000-0832
This script allows the user to specify
header and footer files to be appended
to the search output. By specifying an
absolute pathname, an attacker could view
any file which is readable by the web server
process.
Resolution:
BBoardServlet:
Disable the script, or download
a fixed version when it becomes available.
CAN 2000-0629
CAN 2000-0812
SUN's Java Web Server comes with a number of
example applications. One of these, the Bulletin
Board application, allows a remote user to upload
arbitrary JSP code to the server. It is then possible
to cause the servlet which executes JSP code to
execute the uploaded file by manually prepending
servlet/ to its pathname. An attacker
could execute arbitrary code in this manner.
Resolution:
Disable example applications and the invoker servlet
as follows: In the administration applet under Setup,
remove the File Alias:
/examples $server_home/examples
and remove the Servlet Alias:
/servlet invoker
for both the Web Service and the Secure Web Service.
For further instructions on securing Java Web Server, see
the document from
SUN and CERT Advisory
2000-02.
YaBB.pl, search.pl:
CVE 2000-0853
CAN 2000-1176
Yet another Bulletin Board (YaBB) is an
Open Source bulletin board system. There are vulnerabilities in two of
the scripts that come with YaBB. The first, YaBB.pl,
can be exploited to view any file on the system. The second,
search.pl, can be exploited to view any file or to execute arbitrary commands.
Resolution:
Install the latest version
of YaBB.
The problem in YaBB.pl can also be fixed by adding the following line after line 13:
if ($viewnum !~ /^[0-9]/) { &fatal_error("This field only accepts numbers from 0-9" ); }
vtopic:
Resolution:
Install a fix from SCO when it becomes available, or
run the following commands to disable the scohelphttp server:
/usr/ns-home/httpd-scohelphttp/stop
/usr/ns-home/httpd-scohelphttp/disable
multihtml:
Resolution:
ssi:
Install the latest version of MultiHTML.
CVE 2000-0900
The ssi script is part of
thttpd. A lack of parameter checking
in ssi, combined with the fact that
thttpd translates hexadecimal codes
after removing illegal "../" strings, could allow
a remote attacker to view arbitrary files.
Resolution:
shopping_cart.mdb
Upgrade to
thttpd version 2.20 or higher.
This file is the database used by CyberOffice
Shopping Cart. By default, any web user can download
this file, thereby gaining access to customer information,
including credit card information.
Resolution:
webplus:
Set the directory permissions to allow write but not
read. This will enable users to update the database as
required by the application, but not to download it.
CVE 2000-0282
This script is part of the Web+ e-commerce server by
Talentsoft.
It is the interface to the webpsvr daemon,
which is the driving process for the software. A lack
of parameter checking could allow a remote attacker to
view arbitrary files on the system.
Resolution:
mmstdod.cgi:
Upgrade to
Web+ build 512 or later.
CVE 2001-0021
This script is part of MailMan,
a web-based e-mail application. Arbitrary commands can be run
with the privileges of the web server process by sending a specially
crafted value to the ALTERNATE_TEMPLATES form variable.
Resolution:
bbs_forum.cgi:
Upgrade to version
3.0.26 or higher.
CVE 2001-0123
This script is part of WebBBS,
a web-based bulletin board application. Due to a lack of checking of the
read parameter, it is possible for a remote attacker to read any
file on the system by supplying a value with the dot-dot-slash string.
Resolution:
Download the latest version
of WebBBS, or add the following lines to the script just below
the line that reads &ReadParse;:
if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i) { print "Invalid Message #"; die("Invalid Message # provided: " . $in{'read'}); } if ($in{'reply_to_message'} && $in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) { print "Invalid Reply To Message #"; die("Invalid Reply To Message # provided: " . $in{'reply_to_message'}); }
opendir.php:
Resolution:
bb_smilies.php:
Install the vendor
patch.
CAN 2001-0320
This is another script that comes with PHP Nuke.
The problem is that PHP Nuke uses base-64 encoding when
sending user information, allowing null characters to be
included in the input. Both bb_smilies.php
and bbcode_ref.php are affected by this
vulnerability.
Resolution:
admin.php:
Make the changes which were posted to
Bugtraq.
9/28/01
CVE 2001-1032
This is another script which comes with PHP Nuke.
A vulnerability in the program could allow a remote user to
upload or copy files on the web server without providing any
authentication. By copying the config.php file to
a public document directory, the attacker could view the SQL
passwords contained therein.
Resolution:
Upgrade to a fixed version of PHP Nuke.
It is unknown at this time which version will contain a fix.
Alternatively, remove the block of code beginning with:
if($upload) { copy($userfile,$basedir.$wdir.$userfile_name);
Note:
SAINT checks for this vulnerability by copying a file called
saint.txt into the images directory and
then verifying its existance. To stop SAINT from continuing to
detect this vulnerability after it has been fixed, remove
saint.txt from the server.
case.filemanager.php:
11/16/01
CAN 2001-0854
This is another script which comes with PHP Nuke.
It is intended to be included by admin.php, and
not to be run directly from a web browser. However, by sending
a specially crafted HTTP request, it is possible
to make the script believe it is being called by admin.php
when it is actually being called remotely from a web browser.
This vulnerability could allow a remote attacker to copy or delete
files on the server. If the attacker is able to upload files by
anonymous FTP or another mechanism, the attacker could upload PHP
scripts and copy them to a directory under the web document root,
and then execute them from a web browser, thus gaining the
ability to execute arbitrary scripts.
Resolution:
The vendor has not released a patch for this vulnerability at
the time of this writing. Two possible workarounds are to revoke access
to the script, or to protect the script using HTTP
authentication. To revoke access to the script, enter the following commands:
where document-root is the web document root.# cd document-root # chmod 0 admin/case/case.filemanager.php
Note:
SAINT checks for this vulnerability by copying a file called
saint1.txt into the web document root, and
then verifying its existance. To stop SAINT from continuing to
detect this vulnerability after it has been fixed, remove
saint1.txt from the server.
man-cgi:
This script allows Unix man pages to be viewed
from a web browser. A vulnerability in the script could
allow a remote attacker to view arbitrary files using
hex-encoded space characters.
Resolution:
Change the line:
PAGE=$COMMAND URL=$MANCGIto:
PAGE="$COMMAND" URL="$MANCGI"
talkback.cgi:
Resolution:
catinfo:
Upgrade to the
latest version of the script.
CAN 2001-0432
This script is part of the Trend Micro
InterScan VirusWall. Although there are access controls intended
to protect the scripts in this package, catinfo and some other scripts are
still accessible due to a configuration error. Furthermore, these scripts
are affected by a buffer overflow vulnerability in the processing of
input data, which could allow a remote attacker to execute arbitrary
commands.
Resolution:
cal_make.pl:
Upgrade
to InterScan VirusWall 3.6 or higher.
CVE 2001-0463
This script is part of the PerlCal
web-based calendar package. Due to a lack of parameter checking, a
remote attacker could view any file on the server which is readable by the
web server process.
Resolution:
a1stats:
Install a patch from the vendor when
one becomes available. Until then, it would be advisable to
deny access to the script using a command such as
chmod 000 cal_make.pl.
CAN 2001-0561
CAN 2001-0562
A1-Stats is
a program used to generate statistics about the number and
locations of visitors to a web site. Due to a lack of
checking of input parameters, it is possible for a remote
attacker to read any file which is readable by the owner
of the web server process, or to overwrite any file which
is writable by the owner of the web server process.
Resolution:
directory.php:
Download the
latest version of A1-Stats.
3/22/02
CAN 2002-0434
The directory.php script by Marcus S. Xenakis
allows a remote attacker to execute arbitrary command-line commands by modifying the
'dir' URL parameter. The script is for UNIX systems.
Resolution:
directorypro.cgi:
Contact the vendor for a fix.
CAN 2001-0780
Directory Pro
is a utility for creating an Internet directory web site with
search capabilities. Due to a lack of parameter checking, it is possible
to gain read access to any file on the web server which is readable by
the web server process.
Resolution:
viewsrc.cgi:
Contact the vendor
for a fix.
CVE 2001-0630
This script is a source viewer
used to view the source code of scripts on a web server. Due to a lack
of parameter checking, it is possible for a remote attacker to view arbitrary
files.
Resolution:
SWEditServlet:
Apply the patch which was posted to Bugtraq.
CAN 2001-0555
ScreamingMedia's SiteWare
includes a web-based administration interface powered by the
SWEditServlet script. Due to inadequate checking
of input parameters, it is possible to view any file on the system
by providing the script with a specially crafted template
variable.
Resolution:
phpMyAdmin/sql.php, phpPgAdmin/sql.php:
Upgrade to SiteWare 2.5.1 or 3.3.1 or higher. See the
vendor advisory
for information on obtaining free upgrades.
phpMyAdmin and phpPgAdmin are web-based administration
interfaces for MySQL and PostgreSQL, respectively. Insecure
calls to the PHP include function could allow a
remote attacker to read arbitrary files or execute arbitrary
commands by sending specially crafted parameters to the
sql.php script.
Resolution:
tbl_copy.php:
Upgrade to
phpMyAdmin 2.2.0pre5 (released June 4, 2001) or later, or
apply the patch produced by SecureReality
for phpMyAdmin
or phpPgAdmin.
CAN 2001-1060
The default installation of phpMyAdmin includes a default
"test" database. A remote user can create a table in this
database with no username or password using the tbl_create.php
script. An attacker could execute arbitrary commands on the
server by first creating a table in this manner, and then exploiting
a lack of input parameter validation in the tbl_copy.php
and tbl_rename.php scripts.
Resolution:
The vulnerability can be fixed by removing one line
from each of the two scripts:
tbl_copy.php: eval("\$message = \"$strCopyTableOK\";"); tbl_rename.php: eval("\$message = \"$strRenameTableOK\";");
basilix.php3:
Resolution:
Remove "DUMMY" from lang.inc, and replace
the last lines in basilix.php3 with the following:
// -- launch the desired file $file = ereg_replace("\.\.|\/", "", $request_id["$RequestID"]); if($file == "") exit(); include($BSX_FILESDIR . "/" . $file);
book.cgi:
Resolution:
generate.cgi:
A fix has not yet been released for this vulnerability.
Remove the script if it is not needed.
8/21/01
CAN 2001-1115
This script is part of SIX-webboard.
Due to insufficient parameter checking, an attacker could view
any file on the system which is readable by the web server
process.
Resolution:
Immediately after the line:
insert the following line:print "Content-type:text/html\n\n";
if (length($content) > 5) {print qq(error); exit;}
shopplus.cgi:
Resolution:
r.cgi:
Contact the vendor for a fix.
9/17/01
CAN 2001-1138
This is the script which serves as the central routing point for
Power Up HTML web systems. Due to insufficient checking
of user-supplied parameters, it could be possible for a remote
attacker to view files or execute commands on the web server.
Resolution:
console.exe:
It is unknown whether a fix will be provided in an
upcoming version. Contact the vendor for more information.
10/5/01
This program, as well as cs.exe, is normally used
to allow authenticated users to make administrative changes
to a PGP key server. However, using an alternate URL, it is
possible for remote users who are not authenticated also to
make administrative changes.
Resolution:
servlet/webacc:
Change the configuration such that users are always
required to authenticate before accessing the
console, cs, multi_config, and directory programs. Follow
the instructions given in the
PGP
Security Advisory.
10/24/01
This script is the login page for Novell GroupWise
users to access their e-mail and other functions. Due to
a path traversal vulnerability, a remote attacker could view
arbitrary files on the same disk volume as the web server
by specifying a null-terminated User.html
parameter containing ../ sequences.
Resolution:
network_query.php:
Resolution:
Network_Tools:
Resolution:
ifx:
Resolution:
AspUpload/Test11.asp:
Resolution:
PGPMail.pl, PGPMail.txt:
Resolution:
csvform.pl:
Resolution:
viewcode.jse:
Novell Netware 5.1 prior to service pack 3 is affected by this
vulnerability. Other operating systems hosting the SE:WSE package
are also vulnerable, but the package is not installed by default.
Resolution:
comment2.jse: Resolution:
zml.cgi: Resolution:
php/php.exe: Resolution:
boozt: 12/16/02
Resolution:
check_me.mod.php: Resolution:
graph.php: Resolution:
traceroute.pl, nslookup.pl: Resolution:
dnstools.php: Resolution:
JSP10Servlet:
Vulnerabilities in JSP10Servlet could allow a remote
attacker to view the source code of files under the web root or
crash the IIS service.
Resolution:
CSNews.cgi: Resolution:
iPlanet search:
CAN 2002-0686 Resolution:
none.php: Resolution:
/mail/admin:
Resolution:
AnyForm, AnyForm2:
Resolution:
formmail, formmail.pl:
Resolution:
webwho.pl:
Resolution:
whois.cgi:
Resolution:
nph-mr.cgi:
Resolution:
ezhttpbench.php:
Resolution:
chetcpasswd.cgi:
Resolution:
uploadimage.php:
Other scripts in Mambo SiteServer have cross-site scripting
vulnerabilities which could allow a malicious web site to
induce an unsuspecting visitor into executing arbitrary
commands by following a malformed link to the vulnerable script.
Resolution:
wx/s.dll:
Resolution:
w-agora/index.php, w-agora/modules.php:
Resolution:
mail:
An unrelated buffer overflow in the Hypermail program itself
could allow a remote attacker to execute arbitrary commands
by sending an e-mail message containing a long attachment
filename to the mailbox. This vulnerability can only be
exploited if the option progress is set to 2.
Resolution:
core.php:
Resolution:
exec.php3:
Resolution:
/dev/translations.php:
Resolution:
uploader.php:
Resolution:
logbook.pl:
Resolution:
phpping:
Resolution:
viewpage.php:
Resolution:
source:
Resolution:
ikonboard.cgi:
Resolution:
At line 104, change:
WebAdmin.dll:
Resolution:
normal_html.cgi:
Resolution:
Contact your customer support representative for a
patch. It is also advisable to locate the web server on a
separate disk partition from the operating system.
10/26/01
Network Query Tool
is a CGI script which allows a user to perform network queries
such as DNS, Whois, ping, and traceroute using a web interface.
Due to insufficient parameter checking, it is possible for a
remote attacker to execute arbitrary commands by supplying
a hex-encoded semi-colon character after the host name in the
target variable.
No known fix is available at this time. Until a fix can be
applied, it would be advisable to remove the script or else
deny remote access to the web server.
11/26/01
CVE 2001-0899
The Network Tools package is an add-on module to PHP Nuke
which offers a web interface to the NMAP, traceroute, and
ping utilities. Due to insufficient parameter checking, it
is possible to run commands remotely from a web browser
by including special characters in the target host field.
Upgrade to Network Tools 0.3 or higher.
11/27/01
CAN 2001-0924
The Web DataBlade Module
for Informix is a set of tools which facilitate the development
of web-enabled database applications. A directory traversal attack
could allow a remote attacker to read arbitrary files on the
server.
Apply a vendor patch if one becomes available. At this time,
there is not much information available about which versions and
platforms are vulnerable. It may be worth upgrading to version 4.1x
of the web driver, but it is not certain that that would be an
adequate fix. See Bugtraq
for more information.
12/4/01
CAN 2001-0938
This is just one of several potentially dangerous sample
scripts which are included with AspUpload.
It provides a form which allows the user to upload a file to a fixed
file name on the server. However, the destination file name is passed in through
a hidden form variable, which could easily be changed to an arbitrary
name by manipulating the form's source code on the client. Furthermore, UploadScript11.asp,
the script which processes the form data, does not check the file name
for special characters, so the uploaded file could be placed
anywhere on the logical drive. An attacker could execute arbitrary commands
by uploading a script to the web server's script directory, and then
requesting the script from a web browser.
The entire AspUpload/Scripts directory should
be deleted. Note that simply deleting the Test11.asp and UploadScript11.asp
scripts is not an adequate solution. There are other sample scripts
which could allow a remote attacker to list directories, read arbitrary
files, or upload files to arbitrary locations on the drive.
12/7/01
CAN 2001-0937
This script, an extension of the FormMail script,
encrypts HTML form data before mailing it to a recipient. Due to a lack
of input parameter checking, it is possible for a remote attacker
to execute arbitrary commands by including special characters in
the recipient or pgpuserid parameters.
Change the source code as described in
Bugtraq.
12/13/01
This script, developed by EZScripting.com,
converts data from an HTML form into a Comma-Separated Value (CSV)
database. Due to insufficient checking of the file
parameter, it is possible for a remote attacker to execute
arbitrary commands by including special characters in the query.
Instead of allowing users to specify the file name as
a hidden form variable, force the script to use a fixed
file name. Just above the following line (line 40):
add
@line=&modify_CSV($CSV_file);
where /path/filename is the full path and file name of the
database file.
$CSV_file="/path/filename";
12/26/01
This script is present on Novell Netware web servers by
default, and is part of ScriptEase:
Web Server Edition (SE:WSE), a Javascript development utility.
viewcode.jse is a sample script which allows
two default files, httplist.html and httplist.jse
(both located in the httplist directory) to be viewed. However,
the name of the file to view can be specified by the user as an input parameter
through a web request. Furthermore, the only validation of the input file is
a check that the httplist directory is in the path. This check
is inadequate because it allows an attacker to escape from the intended directory
by including the ../ string in the path, thus allowing
read access to any file on the system.
Remove viewcode.jse and other sample scripts
from the web server, and apply service pack 3 to Netware 5.1.
3/4/02
CAN 2002-0323
This is another vulnerable sample script which comes with
ScriptEase: Web Server Edition.
It could be used to read arbitrary files on the server.
Remove the script. It can be found under the sewse/jabber
directory. The full path depends upon the platform.
1/2/02
CAN 2001-1209
This is a PERL script which supports server-side include
directives under Apache. It is possible to view arbitrary files on
the system by supplying a file parameter containing
the "../" sequence and a null byte.
There is no known vendor-supplied fix for this problem.
It would be advisable to remove the script.
1/9/02
The instructions that come with PHP advise users of
Apache for Windows to create the following
script alias:
This alias allows users to access the php/ directory,
and thus the php.exe
program, which is the PHP language interpreter. This interpreter
can be used to view arbitrary files on the system using a web
browser. This vulnerability affects PHP with Apache for Windows
only.
ScriptAlias /php/ "c:/php/"
There is no vendor-supplied solution at this time.
It would be advisable to remove the above script alias line
from the httpd.conf file. Note that some
of the lines directly following the script alias may then need to
be modified in order to maintain PHP functionality.
1/25/02
CVE 2002-0098
BOOZT! is a banner
management system for Linux. BOOZT! comes with a web-based
administration interface which is powered by the
index.cgi program. Some of the input parameters
to index.cgi are copied into fixed-length buffers
without first checking their length, which could lead to a buffer
overflow. Successful exploitation of this vulnerability could
allow a remote attacker to execute arbitrary commands with the
privileges of the web server. BOOZT! version 0.9.8alpha and earlier
are affected by this vulnerability.
A new buffer overflow in index.cgi has been discovered
in BOOZT! 0.9.8 Standard. Earlier versions, and perhaps the premium version,
may also be vulnerable.
Upgrade to
the latest version of BOOZT! when it becomes available.
1/30/02
This script performs spell-checking for the
Squirrelmail web mail
system. Due to insecure use of PHP variables, it is possible
for a remote attacker to execute arbitrary commands on the
server by sending a specially crafted query with the commands
included in the SQSPELL_APP[] input variable.
Upgrade to Squirrelmail
1.2.4 or later.
1/31/02
This script is part of the Ganglia
cluster monitoring system's PHP-based web client. In some cases, the value of
the command input parameter is executed by the
system, thus allowing a remote attacker to execute arbitrary
commands. Ganglia versions prior to 1.0.2 are affected by this
vulnerability.
Upgrade to Ganglia version 1.0.2 or higher.
3/27/02
CVE 2002-0488
CAN 2002-0489
These scripts, distributed by Linux Directory,
are simple web interfaces to the traceroute and nslookup
utilities. Due to a lack of parameter checking, a remote attacker could
execute arbitrary commands by sending specially crafted input to
either script. Note that this is only a problem in the traceroute.pl
and nslookup.pl scripts and not vulnerabilities in the traceroute
and nslookup programs themselves.
There is no vendor fix for this problem. It would be advisable
to delete traceroute.pl and nslookup.pl.
5/3/02
CVE 2002-0613
This script is part of DNSTools,
which provides a web-based interface for DNS configuration
and management. Due to the script's failure to initialize
variables, versions prior to 2.0 beta 5 allow a remote
attacker to bypass authentication by specifying user_logged_in=true
and/or user_dnstools_administrator=YES in the
query. Once authentication is bypassed, the attacker could
make arbitrary changes to DNS tables, which could be used
to carry out subsequent attacks.
Upgrade to DNSTools 2.0 beta 5
or higher.
6/3/02
CAN 2002-0893
This class is part of the ServletExec
web application server. It can be invoked either by requesting a .jsp
file or directly using the path /servlet/com.newatlanta.servletexec.JSP10Servlet.
Install patch 9.
6/25/02
CAN 2002-0921
CAN 2002-0922
CAN 2002-0923
CAN 2002-0924
This script processes requests for the
CSNews
news management package for web sites. Multiple vulnerabilities
could allow an unauthenticated user to view database files,
configuration files (including usernames and passwords), and
full physical path names. Furthermore, an
authenticated or anonymous user could change settings and
execute commands.
Contact CGIscript.net
for a fix. Only allow trusted users to access the
application. Restrict access to *db and
*.style files.
7/12/02
CAN 2002-1042
This program is the search engine which comes with
iPlanet
web servers. It is affected by two vulnerabilities. The
first is a directory traversal vulnerability which could allow
a remote attacker to view any file on the system by
including the dot-dot-slash (../) string in
the NS-query-pat parameter.
The second vulnerability is a buffer overflow. A remote attacker could
execute arbitrary commands by assigning a long, specially
crafted value to the NS-rel-doc-name
parameter.
Download and install
Service Pack 10 for iPlanet Web Server 4.1 or Service Pack 3
for iPlanet Web Server 6.
7/22/02
This script is part of the
Sun Professional
Services i-Runbook service. It is intended to be used
to view the build snapshop, but it can be used to view any
file which is readable by the web server.
Contact the service provider for a fix.
10/22/02
CVE 2002-0513
This script is the administrative web interface
for popper_mod, a POP3 e-mail client written in PHP. By
default there is no access protection on this script,
allowing remote attackers the ability to view, modify, or
delete user accounts, passwords, and settings.
Use the web server's .htaccess file
to restrict access to the script, or upgrade to
popper_mod 1.2.2 or higher.
10/22/02
CVE 1999-0066
This script is used to process HTML form data and mail it
to an e-mail address specified by a hidden parameter called
AnyFormTo.
Due to a lack of parameter checking, arbitrary shell commands
can be embedded into this parameter using semi-colons simply
by modifying the form on one's local machine. As a result,
a remote attacker could execute arbitrary commands on the server.
The author released a fixed version, but the software has
since been made unavailable to the public. It would be
advisable to remove this program from the web server.
10/22/02
CVE 1999-0172
This is another program used to process HTML form data
and mail it to an e-mail address. The recipient address
is specified by a hidden parameter called
recipient.
Due to a lack of paramater checking, arbitrary shell
commands can be embedded into this parameter, allowing
an attacker to execute arbitrary commands on the server.
Upgrade to the latest version of
FormMail.
10/22/02
CVE 2000-0010
This is the WebWho+ program, which is used to retrieve
information about network domains through a web interface.
Due to a lack of parameter checking, an attacker could
embed shell commands within the type
parameter, thus gaining unauthorized access to the server.
Upgrade to the latest version of
WebWho+.
10/22/02
CVE 2000-0941
This script is Kootenay Web's Whois CGI application for
retrieving network domain information through a web
interface. Due to a lack of parameter checking, a remote
attacker could gain unauthorized access to the server by
embedding shell commands within the query.
Upgrade to the latest version of Whois.
11/1/02
This script is part of Mailreader.com,
a web-based e-mail reader supporting the POP protocol.
There are two remotely exploitable vulnerabilities in
Mailreader.com. The first affects nph-mr.cgi.
An attacker could read arbitrary files by supplying
a specially crafted value for the configLanguage parameter
containing dot-dot-slash ("../") sequences
and a terminating null character (%00).
The second vulnerability affects compose.cgi.
Insufficient validity checking of the
$CONFIG{RealEmail} parameter in compose.cgi,
which is used as the $from variable in
network.cgi, could
allow an attacker to execute arbitrary commands by submitting
input containing special characters.
Upgrade
to version 2.3.32 or higher.
11/22/02
eZ httpbench is a simple benchmarking program
written in PHP. Due to a lack of input parameter checking,
a remote attacker could view arbitrary files such as the
/etc/passwd file by specifying the file name
in the AnalyseSite variable.
There is no available fix at this time. The script should
be deleted.
12/31/02
chetcpasswd is a utility which allows users to change
their passwords using a web browser. Due to a lack of
parameter checking, it is possible for a remote attacker
to overflow the user parameter, which causes
the program to reveal the last line of the
/etc/shadow file. This information could be
used to crack a user password and gain access to the system.
Delete the program, or use the /etc/chetcpasswd.allow
file to permit access only to trusted hosts.
1/14/03
This script is part of Mambo SiteServer. It allows users to upload
images and other non-executable file types. However, the
file type check is insufficient, allowing an attacker to
upload a script by following a legal extension with another
extension. For example, an attacker could upload a script
named filename.gif.php. The attacker could
then use a web browser to execute the script, which could
contain arbitrary commands.
Download all
security patches for versions 3.0.7 through 4.0.11, or
upgrade to the 4.0.12 stable release when it becomes
available.
1/24/03
This program is the front-end to Follett's
WebCollection Plus product. Due to insufficient
parameter checking, it is possible to retrieve any file on
the C: drive by specifying an absolute path name in the
d parameter.
Upgrade to version 5.0.6 or higher when available.
This version will presumably contain a fix.
1/24/03
These scripts are part of the w-agora
web publishing and forum package. A remote attacker could
read arbitrary commands on the server using a directory
traversal attack in the bn or file
parameter.
Upgrade
to version 4.1.6 when available. This version will presumably
contain a fix.
2/9/03
CAN 2003-0057
This script is part of the Hypermail
software. Due to a buffer overflow condition, a remote attacker
who controls his or her own authoritative DNS server could
execute arbitrary commands by creating a long, specially
crafted reverse DNS entry, which is then
copied to a fixed length buffer by the mail program.
The program could also be abused by spammers to send out
mass quantities of e-mail while hiding their true origin.
Upgrade to
version 2.1.6 or higher. Alternatively, set the option progress
to a value other than 2, and configure Hypermail not to use
the mail program and remove it from the cgi-bin
directory.
2/9/03
This script is part of the dotproject
web-based project management and tracking tool. Due to a lack
of protection of the locale directory combined
with a lack of input parameter checking, a remote attacker
could read any file on the system.
Install a vendor fix when one becomes available. Version
0.2.3 or higher will presumably contain a fix. If a fix
is not available, create a file called .htaccess
containing the text "Deny from all" in the
dotproject/locales directory.
2/21/03
This script is part of the DotBr package. There are
vulnerabilities affecting multiple files in this package:
Remove exec.php3, system.php3, and
foo.php3. Rename config.inc to config.inc.php, and change all other scripts which reference it to
use the new name.
3/7/03
This script is part of the TYPO3 package.
Multiple vulnerabilities could allow path disclosure,
retrieval of files outside the web root, command
execution, cross-site scripting, and cookie theft.
Upgrade to the
latest version of TYPO3, or apply the workaround posted
to Bugtraq.
3/7/03
This script allows remote users to upload files to the server.
By default, no password is required to upload, and files are
placed in a directory which is accessible from the web.
This allows a remote attacker to upload a PHP script and
execute it from a web browser, thus gaining the ability
to execute commands on the web server.
In the setup.php file, set
$ADMIN[RequirePass] = "No";.
3/18/03
This script, developed by Wordit,
makes insecure use of PERL's open call, allowing
remote attackers to view arbitrary files or execute commands
by embedding special characters in the file
parameter.
There is no vendor fix available at this time. It would
be advisable to remove the script.
3/19/03
This script is a simple tool which provides a web
interface to the ping command for determining whether
a remote host is alive. Due to insufficient checking
of the pingto parameter, it is possible for
a remote attacker to execute arbitrary commands.
Remove the script, or fix the script. An example is
provided in Bugtraq.
3/27/03
This script is present in some installations of
PHP-Nuke. It allows
a remote attacker to view any file by specifying an
absolute path name in the file parameter.
Remove the script.
4/2/03
CAN 2003-0156
This script is part of Cross-Referencing
Linux, also known as LXR. Due to insufficient checking
of input parameters, it is possible for a remote attacker
to read arbitrary files on the system by including
dot-dot-slash (../) characters and a trailing
null character within the v parameter. Stable
releases 0.3 and earlier and beta versions 0.9.2 and earlier
are affected.
Download
stable release 0.3.1 or higher. There is also an updated
package from Debian
which fixes the problem.
4/16/03
This is the script which implements
IkonBoard, a web
bulletin board system. Due to insufficient checking of the
lang cookie, it is possible for a remote
attacker to include arbitrary commands within this cookie,
which are then executed by the script. IkonBoard 3.1.1
and probably earlier versions are affected.
IkonBoard 3.1.2 and higher will presumably contain
a fix. Alternatively, make the following changes to
Sources/Lib/FUNC.pm, as posted to
Bugtraq:
to:
$sid =~ s/^(\d+)$/$1/;
and at line 191, change:
$sid =~ s/^(\d+)$/$1/ or die 'bad sid cookie value';
to:
$iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/;
$iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/ or die 'bad lang cookie value';
5/6/03
This program powers WebAdmin, which is a
web-based administration interface for
MDaemon and other products developed by
alt-n. Due to a lack of
input parameter checking, it is possible for a remote attacker
to view any file on the system by submitting a specially
crafted request from a web browser.
Upgrade to WebAdmin 2.0.3 or higher.
5/12/03
CAN 2003-0243
CAN 2003-0277
CAN 2003-0278
This script is part of the
Happymall
E-Commerce server. Due to insufficient checking of the
file parameter which is passed into a PERL
open call, a remote attacker could execute
arbitrary shell commands or gain unauthorized read access
to files. member_html.cgi
is also affected by the same vulnerability.
Install the patch referenced in
KA2003-034 to correct the code execution problem
in both scripts. Note that this patch might not correct the
file read problem. If this problem persists, contact the
vendor.
Where can I read more about this?
For those interested in reading more about general WWW security and secure
CGI programming, visit the
World
Wide Web Security FAQ.