GEN:SID 1:2211
Message WEB-CGI guestserver.cgi access
Summary This event is generated when an attempt is made to access guestserver.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Lars Ellingsen's Guestbook system.
Impact Remote execution of arbitrary code.
Detailed Information Lars Ellingsen's Guestbook system is a CGI application for web-based guestbooks. It contains a parsing vulnerability in guestserver.cgi where an attacker can place executable code within pipe characters (|) in front of an email address in the email value of a guestbook form. Because the pipe metacharacter is not properly filtered, code placed in the email value is executed with the security context of the web server.
Affected Systems Any web server running Lars Ellingsen's Guestbook system.
Attack Scenarios An attacker prepends shell commands between pipe characters to an email address in the email value of a guestbook entry. When the form data is submitted, the web server attempts to execute the commands.
Ease of Attack Simple. Exploits exist.
Corrective Action Because Lars Ellingsen's guestbook system does not appear to be currently maintained, you may want to use a different guestbook application. As a workaround, you can change the 1 that appears on the line beneath <-guestbook.mailto_guest-> to 0 in the guestbook.config file.
Additional References  
Rule References bugtraq: 4579
cve: 2001-0180
nessus: 11748