Apache on SuSE Linux cgi-bin-sdb Request Script Source Disclosure

This script is Copyright (C) 2000-2014 Tenable Network Security, Inc.


Synopsis :

The remote service is vulnerable to information disclosure.

Description :

The directory /cgi-bin-sdb is an Alias of /cgi-bin - most SuSE systems
are configured that way.

This setting allows an attacker to obtain the source code of the
installed CGI scripts on this host. This is dangerous as it gives an
attacker valuable information about the setup of this host, or perhaps
usernames and passwords if they are hard-coded into the CGI scripts.

See also :

http://archives.neohapsis.com/archives/linux/suse/2000-q3/0906.html

Solution :

In httpd.conf, change the directive :

Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

to

ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.8
(CVSS2#E:F/RL:U/RC:ND)

Family: Web Servers

Nessus Plugin ID: 10503 ()

Bugtraq ID: 1658

CVE ID: CVE-2000-0868