Code: p90 Severity: Notice
Description: This check recognizes an attack against the campas cgi-bin script present with certain httpd Web servers. This exploit allows a remote attacker to execute commands on the Web server machine as the same user under which the httpd process is running. This attack allows the attacker to access the files on the web server with the same user ID as that of the HTTPD process. Depending on the configuration of your web server, this could allow the attacker to gain root or administrator access to the host. In either case, it does allow the attacker to alter the contents of your web site. Impact: Old NCSA web servers only. The campas cgi-bin script was shipped with these servers as a default. Corrective: Check to see whether the target system is vulnerable to this attack. Check the RealSecure signature to see the command that the attacker attempted to execute on the target web server. Use this data to guide further investigation of the attack. If the system is vulnerable and the command indicates a possible incursion, then you should consider the system compromised and take appropriate action. Upgrade your HTTP server to the latest version. You should also remove the campas cgi-bin script.
|
