Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:2223 |
| Message | WEB-CGI csNews.cgi access |
| Summary | This event is generated when an attempt is made to access csNews.cgi on an internal web server. This may indicate an attempt to exploit a file disclosure vulnerability in csNews.cgi, a script distributed by CGIScript.NET. |
| Impact | Information disclosure. The attacker must have an authenticated account to successfully execute this exploit. |
| Detailed Information | csNews.cgi is a Perl script that manages web-based news items, and contains a vulnerability in its ability to decode and filter out double-decoded URL data on the Advanced Settings page. An authenticated attacker can insert double-decoded directory traversals and file names into the header or footer parameters in csNews.cgi, and the files will appear in the header or footer of the page. |
| Affected Systems | Systems running CGISCRIPT.NET csNews 1.0 or CGISCRIPT.NET csNews Professional 1.0 |
| Attack Scenarios | An attacker crafts a URL with /../../passwd double-encoded in the header or footer parameter. If the password file exists in that location, the file will appear in the header or footer of the web page. |
| Ease of Attack | Simple. Exploits exist. |
| Corrective Action | It is not known if this vulnerability has been patched or fixed in later versions. Contact the vendor for more information. |
| Additional References | |
| Rule References | bugtraq: 4994 cve: 2002-0923 nessus: 11726 |
--
DID:342367
--
http://www.aanval.com/