Tenable Network Security
Solutions Products Nessus Demos Partners Online Store
Nessus
Download
Plugins
     Newest Plugins
     Obtain an activation code
     View all plugins
     Search
Documentation
Register
Buy Now
ProfessionalFeed Support
Bugs
All the Tenable Products

NCDSA HTTPd nph-test-cgi Arbitrary Directory Listing
This script is Copyright (C) 1999-2010 Tenable Network Security, Inc.

FamilyCGI abuses
Nessus Plugin ID10165 (nph-test-cgi.nasl)
Bugtraq ID686
CVE IDCVE-1999-0045

Description:
Synopsis :

The remote web server contains a CGI script that is affected by
information disclosure vulnerabilities.

Description :

The remote web server contains the 'nph-test-cgi' test script, which
is included by default with some web servers.

The version of this script on the remote host fails to quote input to
several environment variables, such as 'QUERY_STRING', before echoing
it back as part of a shell script. An unauthenticated attacker can
leverage this issue to list the contents of directories on the remote
host, subject to the permissions of the web server user id.

See also :

http://www.cert.org/advisories/CA-1997-07.html

Solution :

Disable or delete the CGI script.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
About us | Whitepapers | Training | Discussion Forums | Support Portal | Blog | RSS feeds | Contact us | Legal | Privacy

© Copyright 2002 - 2010 Tenable Network Security(R). All Rights Reserved.

This is the web site for the Nessus Vulnerability Scanner from Tenable Network Security. If you are looking for the probabilistic analysis software from Southwest Research Institute, please visit www.nessus.swri.org