faxsurvey cgi


    Linux S.u.S.E. running faxsurvey cgi


    Tom  found  following.   There  exist  a  bug  in  the 'faxsurvey'
    CGI-Script, which allows an  attacker to execute any  command s/he
    wants with the permissions of  the HTTP-Server.  All the  attacker
    has to do is type:

    in his favorite Web-Browser to  get a copy of your  Password-File.
    All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones)
    with the HylaFAX package installed are vulnerable to this attack.


    S.u.S.E.  team  has  been  notified  about that problem.  Burchard
    Steinbild said they have not enough time to fix that bug for their
    5.3 Dist., so they decided to just remove the script from the file
    list.  Immediately remove/chown the cgi-script.