GEN:SID | 1:2220 |
Message | WEB-CGI simplestmail.cgi access |
Summary | This event is generated when an attempt is made to access simplestmail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Leif M. Wright's Simple Guestbook.
|
Impact | Remote execution of arbitrary code, possibly leading to remote root compromise.
|
Detailed Information | Leif Wright's Simple Guestbook uses a Perl script to manage web-based guestbook submissions. It improperly parses pipe metacharacters (|), allowing an attacker to place arbitrary shell commands between pipe characters in the guestbook value. These commands are then executed by the web server when it receives the request.
|
Affected Systems | Web servers running Leif M. Wright Simple Guestbook.
|
Attack Scenarios | An attacker uses a specially crafted value in the guestbook field between pipe characters. Any commands included in the value are executed with the security context of the web server.
|
Ease of Attack | Simple. Exploits exist.
|
Corrective Action | Disable simplestmail.cgi.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/2106
|
Rule References | bugtraq: 2106
bugtraq: 4579
cve: 2001-0022
nessus: 11748
|