GEN:SID 1:2220
Message WEB-CGI simplestmail.cgi access
Summary This event is generated when an attempt is made to access simplestmail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Leif M. Wright's Simple Guestbook.
Impact Remote execution of arbitrary code, possibly leading to remote root compromise.
Detailed Information Leif Wright's Simple Guestbook uses a Perl script to manage web-based guestbook submissions. It improperly parses pipe metacharacters (|), allowing an attacker to place arbitrary shell commands between pipe characters in the guestbook value. These commands are then executed by the web server when it receives the request.
Affected Systems Web servers running Leif M. Wright Simple Guestbook.
Attack Scenarios An attacker uses a specially crafted value in the guestbook field between pipe characters. Any commands included in the value are executed with the security context of the web server.
Ease of Attack Simple. Exploits exist.
Corrective Action Disable simplestmail.cgi.
Additional References Bugtraq
http://www.securityfocus.com/bid/2106
Rule References bugtraq: 2106
bugtraq: 4579
cve: 2001-0022
nessus: 11748