Test-cgi sample CGI script allows remote retrieval of file listings
| http-cgi-test (149) |  High Risk |
Description:
Certain conditions in the test-cgi file, shipped with older NCSA and Apache HTTP server packages, could allow a remote attacker to submit a query to view the contents of the cgi-bin directory or other directories on the Web server. This information could be useful to an attacker in performing future attacks on the system.
This vulnerability can be used to change the contents of a Web page. Exploit information for this vulnerability has been widely distributed.
Platforms Affected:
- Apache, HTTP Server
- Compaq, Tru64
- Data General, DG/UX
- HP, HP-UX
- IBM, AIX
- Linux, Kernel
- NCSA, NCSA Servers
- SCO, SCO Unix
- SGI, IRIX
- Sun, Solaris
- Various vendors, Common Gateway Interface (CGI)
- WindRiver, BSDOS
Remedy:
Remove test-cgi, in addition to any other example CGI scripts, from your cgi-bin directory. If these scripts exist on your system, you may be running an outdated server and should upgrade to the latest version offered by your vendor.
Consequences:
Obtain Information
References:
- BID-2003: Multiple Vendor test-cgi Directory Listing Vulnerability
- CVE-1999-0070: test-cgi program allows an attacker to list files on the server.
Reported:
Apr 01, 1996
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net