Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:2220 |
Message | WEB-CGI simplestmail.cgi access |
Summary | This event is generated when an attempt is made to access simplestmail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Leif M. Wright's Simple Guestbook. |
Impact | Remote execution of arbitrary code, possibly leading to remote root compromise. |
Detailed Information | Leif Wright's Simple Guestbook uses a Perl script to manage web-based guestbook submissions. It improperly parses pipe metacharacters (|), allowing an attacker to place arbitrary shell commands between pipe characters in the guestbook value. These commands are then executed by the web server when it receives the request. |
Affected Systems | Web servers running Leif M. Wright Simple Guestbook. |
Attack Scenarios | An attacker uses a specially crafted value in the guestbook field between pipe characters. Any commands included in the value are executed with the security context of the web server. |
Ease of Attack | Simple. Exploits exist. |
Corrective Action | Disable simplestmail.cgi. |
Additional References | Bugtraq http://www.securityfocus.com/bid/2106 |
Rule References | bugtraq: 2106 bugtraq: 4579 cve: 2001-0022 nessus: 11748 |
--
DID:770492
--
http://www.aanval.com/