COMMAND

    AN-HTTPd

SYSTEMS AFFECTED

    Windows98J with AN-HTTPd 1.20b

PROBLEM

    UNYUN found following.  The  test CGIs which are distributed  with
    AN-HTTPd  1.20b  contain  the  remote  command  execution problem.
    Exploit (example):

        http://www.xxx.yy/cgi-bin/input.bat?|dir..\..\windows

SOLUTION

    Remove the following test CGIs:

        cgi-bin/test.bat
        cgi-bin/input.bat
        cgi-bin/input2.bat
        ssi/envout.bat

    Ver1.21 has been released at the official site:

        http://www.st.rim.or.jp/~nakata/