Code: p155 Severity: Notice
Description: A common web server misconfiguration is to put shell interpreters (sh, csh, etc) in the cgi-bin directory. Specially formatted HTTP requests can cause these shells to execute commands, for example, to email password files. This decode looks for attempts to get shells to execute commands. Impact: Any web server. Corrective: Examine the contents of the HTTP request, to see the command that was attempted. Check to see that the shell interpreter exists in the cgi-bin directory. If it does not, you are not vulnerable. If it does, the command may have completed successfully, and you should take appropriate action (for example, if the command caused the password file to be mailed to the attacker, have the users change their passwords immediately). Check to see if any cgi-bin programs rely of shell interpreter access; if they do, move the shell interpreter outside the www root, and modify the cgi-bin programs to look for the shell interpreter in the new location. If no programs use the shell interpreter, remove it from the cgi-bin directory.
|
