COMMAND

    processit.pl

SYSTEMS AFFECTED

    processit.pl

PROBLEM

    UkR hacking team found following.  Environment and Setup Variables
    can be Viewed through processit.pl CGI script.

    The script allows  several environment variables  to be viewed  by
    the attacker, who can gain useful information on the site,  making
    further attacks more feasible.

    processit.pl  dumps  useful  information  (e.g.  script  location,
    SERVER_SOFTWARE,  DOCUMENT_ROOT,  etc.)  to  the  browser when the
    requested  file  provided  is  incorrect  or  when request without
    parametrs.

    If site does not contain a incorrect file, thus the following  URL
    displays  the  environment  dump.   However,  a  similar url, when
    applied within the necessary modifications to an unprotected  site
    would yield the desired result:

        http://www.victim.org/cgi-bin/processit.pl?FORMNAME=UkR

    or

        http://www.victim.org/cgi-bin/processit.pl

SOLUTION

    Nothing yet.