COMMAND

    rpm_query

SYSTEMS AFFECTED

    OpenLinux 2.3

PROBLEM

    'harikiri' found following.  This was observed on an OpenLinux 2.3
    system, after performing a full insallation of all packages.

        [root@noname /root]# rpm -q -f /home/httpd/cgi-bin/rpm_query
        OpenLinux-2.3-16
        [root@noname /root]#

    The rpm_query cgi allows any individual who can connect to the web
    server to obtain a listing  of all rpm's installed on  the system.
    Attackers may  use this  information to  identify what  vulnerable
    software packages have been installed.

SOLUTION

    If this cgi is not required:

        # chmod 0 /home/httpd/cgi-bin/rpm_query

    If  it  is  required,  use  Apache's  access  control  features to
    restrict who may use it.

    This cgi bin should have been killed long ago.  It is  recommended
    you remove it completely.