Code: p94 Severity: Notice
Description: The "info2www" script is a program used to convert GNU Info Nodes into HTML for viewing over the Web. A vulnerability exists in some versions of this script which allows remote attackers to execute arbitrary commands with the privilege of the user owning the server process, usually "nobody." Several different versions of this program exist, some vulnerable and some not. Generally, if the script calls open() without parsing metacharacters from the HTTP request, it is vulnerable. The info2www script allows remote execution of commands. Impact: info2www versions prior to 1.2 Corrective: Paranoid sites should disable all CGI scripts until they have been thoroughly audited for security vulnerabilities. Versions prior to 1.2 of info2www should be considered vulnerable, as well as info2html, infogate, and other derivative works.
|
