COMMAND

    htmlscript

SYSTEMS AFFECTED

    Systems running htmlscript 2.99x and earlier

PROBLEM

    Dennis Moore posted following.   Htmlscript has a vulnerability in
    it which allows  you to access  system files, presumably  any file
    the web  server user  can access.   Miva (htmlscript  3.0) "is  an
    HTML based web  development language which  provides the power  of
    scripting via new, easy-to-use tags."  The exploit:

        http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

    The number of ..s will depend on the location of the cgi  program.
    The original finder of this bug remains unknown to public.

SOLUTION

    According  to  Joseph  Jay  Austin  (Htmlscript  Corporation)  the
    current  shipping  version  of  the  product (htmlscript v3.x/Miva
    1.x) does  not have  this security  flaw.   All customers have the
    option of getting a  copy of the latest  release or a binary  only
    fix of the 2.99x distribution.  Due to the serious nature of  this
    problem all htmlscript  licensees are urged  to make this  upgrade
    their highest priority.