It is possible to read any file on the remote system by prepending several dots before the file name.

The 'jj' CGI is installed. This CGI has a well-known security flaw that lets a remote attacker execute arbitrary commands with the privileges of the web server.

Please note that Nessus only checked for the existence of this CGI, and did not attempt to exploit it.

The 'info2www' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody).

The installed version of the 'icat' CGI allows a remote user to read arbitrary files on the remote target, because it fails to properly sanitize user-supplied input to the 'icatcommand' parameter.

The 'htmlscript' cgi is installed. This CGI has a well known security flaw that lets anyone read arbitrary files with the privileges of the HTTP daemon (root or nobody).

The 'handler' cgi is installed.  This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody).

The 'finger' CGI is installed. This can be used by a remote attacker to enumerate accounts on the system. Such information is typically valuable in conducting additional, more focused attacks.

The 'faxsurvey' CGI does not sanitize input to the query string.  A remote attacker could exploit this to execute arbitrary commands.

CGI script 'dumpenv.pl' is installed on the remote host. This CGI gives away too much information about the web server configuration, which will help an attacker.

According to its version number, the 'Count.cgi' CGI installed on the remote web server has a buffer overflow vulnerability.  A remote attacker could use this to execute arbitrary code.

The remote web server appears to be NCSA httpd. This version of the web server comes with a sample CGI script, campas, that fails to properly sanitize user input. This could allow a remote attacker to execute arbitrary commands with the privileges of the web server.

The version of Big Brother running on the remote is affected by a directory traversal vulnerability in the 'HISTFILE' parameter of the 'bb-hist.sh' CGI. A remote attacker can exploit this to read sensitive information from the system.

It was possible to crash the remote Annex terminal by connecting to the HTTP port, and requesting the '/ping' CGI script with an argument that is too long. For example:

 http://www.example.com/ping?query=AAAAA(...)AAAAA

This web server appears to be a version of O'Reilly WebSite that has a buffer overflow vulnerability in its '/cgi-shl/win-c-sample.exe' script.  By passing a specially crafted argument to this script, an unauthenticated, remote attacker can leverage this overflow to execute arbitrary code on the affected host subject to the privileges under which the service operates.

The remote instance of IIS includes the sample site 'ExAir'. By calling one of the included Active Server Pages, specifically '/iissamples/exair/search/search.asp', an unauthenticated, remote attacker may be cause the web server to hang for up to 90 seconds (the default script timeout) if the default ExAir page and associated dlls have not been loaded into the IIS memory space.

The remote instance of IIS includes the sample site 'ExAir'. By calling one of the included Active Server Pages, specifically '/iissamples/exair/search/query.asp', an unauthenticated, remote attacker may be cause the web server to hang for up to 90 seconds (the default script timeout) if the default ExAir page and associated DLLs have not been loaded into the IIS memory space. This can be used to render the site unusable.

The remote instance of IIS includes the sample site 'ExAir'. By calling one of the included Active Server Pages, specifically '/iissamples/exair/search/advsearch.asp', an unauthenticated, remote attacker may be cause the web server to hang for up to 90 seconds (the default script timeout) if the default ExAir page and associated DLLs have not been loaded into the IIS memory space. This can be used to render the site unusable.

ID	Name	Severity
10142	Microsoft Personal Web Server Multiple Dot Request Arbitrary File Access	medium
10131	Multiple Vendor jj CGI Arbitrary Command Execution	high
10127	Multiple Vendor info2www CGI Arbitrary Command Execution	critical
10112	icat carbo.dll icatcommand Parameter Traversal Arbitrary File Access	medium
10106	Miva htmlscript Traversal Arbitrary File Access	high
10100	IRIX handler CGI Arbitrary Command Execution	high
10071	Multiple Web Server finger CGI Information Disclosure	medium
10067	HylaFAX faxsurvey Arbitrary Command Execution	high
10060	Sambar Server dumpenv.pl Information Disclosure	medium
10049	wwwcount Count.cgi Remote Overflow	high
10035	NCSA Campas cgi-bin Arbitrary Command Execution	high
10025	Big Brother bb-hist.sh History Module Directory Traversal	medium
10017	Xylogics Annex Terminal Service ping CGI Program DoS	high
10008	O'Reilly WebSite win-c-sample Remote Overflow	high
10004	Microsoft IIS search.asp Direct Request DoS	medium
10003	Microsoft IIS query.asp Direct Request Remote DoS	medium
10002	Microsoft IIS advsearch.asp Direct Request Remote DoS	medium

Detections

Analytics

CGI abuses Family for Nessus

medium

high

critical

medium

high

high

medium

high

medium

high

high

medium

high

high

medium

medium

medium