SGI IRIX cgi-bin wrap program remote users can list files
| http-sgi-wrap (290) |  Medium Risk |
Description:
The wrap CGI program could allow a remote attacker to obtains sensitive information. By accessing the wrap script with specially formatted arguments, a remote attacker can obtain a listing of files on the server. This information could be useful to an attacker in performing further attacks.
Platforms Affected:
- SGI, IRIX 5.3
- SGI, IRIX 6.0
- SGI, IRIX 6.0.1
- SGI, IRIX 6.1
- SGI, IRIX 6.2
- SGI, IRIX 6.3
- SGI, IRIX 6.4
- Various vendors, Common Gateway Interface (CGI)
Remedy:
Disable or remove the scripts included with the IRIX Outbox Environment Subsystem and apply the appropriate patches for your system, as listed in Silicon Graphics Inc. Security Advisory 19970501-02-PX. See References.
— AND —
If possible, upgrade to the latest version of operating system running on your Web server.
Consequences:
Obtain Information
References:
- SGI Security Advisory 19970501-02-PX, IRIX webdist.cgi, handler and wrap programs at ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX.
- BID-373: IRIX cgi-bin wrap Vulnerability
- CVE-1999-0149: The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.
- OSVDB ID: 247: IRIX wrap CGI Traversal Arbitrary Directory Listing
Reported:
Apr 02, 1997
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net