CGI Generic Unseen Parameters Discovery
Medium Nessus Plugin ID 44134
SynopsisA CGI application hosted on the remote web server is potentially prone to information disclosure or privilege escalation.
DescriptionBy sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.
This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.
Note that this script is experimental and may be prone to false positives.
SolutionInspect the reported CGIs and, if necessary, modify them so that security is not based on obscurity.