Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:2211 |
Message | WEB-CGI guestserver.cgi access |
Summary | This event is generated when an attempt is made to access guestserver.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Lars Ellingsen's Guestbook system. |
Impact | Remote execution of arbitrary code. |
Detailed Information | Lars Ellingsen's Guestbook system is a CGI application for web-based guestbooks. It contains a parsing vulnerability in guestserver.cgi where an attacker can place executable code within pipe characters (|) in front of an email address in the email value of a guestbook form. Because the pipe metacharacter is not properly filtered, code placed in the email value is executed with the security context of the web server. |
Affected Systems | Any web server running Lars Ellingsen's Guestbook system. |
Attack Scenarios | An attacker prepends shell commands between pipe characters to an email address in the email value of a guestbook entry. When the form data is submitted, the web server attempts to execute the commands. |
Ease of Attack | Simple. Exploits exist. |
Corrective Action | Because Lars Ellingsen's guestbook system does not appear to be currently maintained, you may want to use a different guestbook application. As a workaround, you can change the 1 that appears on the line beneath <-guestbook.mailto_guest-> to 0 in the guestbook.config file. |
Additional References | |
Rule References | bugtraq: 4579 cve: 2001-0180 nessus: 11748 |
--
DID:668880
--
http://www.aanval.com/