GEN:SID 1:2201
Message WEB-CGI download.cgi access
Summary This event is generated when an attempt is made to access download.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Matthew Wright's download.cgi 1.0.
Impact Information disclosure.
Detailed Information Matt Wright's Script Archive provides a File Download script which allows users to keep track of the number of file downloads for specific files. It contains a directory traversal vulnerability where an attacker can use directory traversal techniques ("../..," for instance) within the "f" parameter, and pass these values to download.cgi to view hidden files on the server.
Affected Systems Any web server using download.cgi version 1.0 to track file downloads.
Attack Scenarios An attacker crafts a download.cgi URL where f=../../../../../../etc/passwd and transmits it to a vulnerable server. If the parameter matches the location of the target server's password file, the attacker can view and download the file. The attacker can use this method to view any arbitrary file, and to browse the server to discover information that may be helpful in a future attack.
Ease of Attack Simple. A proof of concept exists.
Corrective Action Disable download.cgi.
Additional References  
Rule References bugtraq: 4579
cve: 1999-1377
nessus: 11748