COMMAND

    webpage.cgi

SYSTEMS AFFECTED

    webpage.cgi

PROBLEM

    'UkR-XblP' found following.  The script allows several environment
    variables  to  be  viewed  by  the  attacker,  who can gain useful
    information on the site, making further attacks more feasible.

    webpage.cgi dumps useful  information (e.g. script  location, HTTP
    root, version  of Perl,  server_admin, server_name,  path) to  the
    browser when the database file provided is incorrect.

    If site does not contain a file named ukr.htm, thus the  following
    URL displays the environment dump (note: this url may not work  as
    the vendor has applied the patch to the site.  However, a  similar
    url,  when  applied  within  the  necessary  modifications  to  an
    unprotected site would yield the desired result).  Exploit:

        http://www.victim.org/cgi-bin/replicator/webpage.cgi/313373/ukr.htm

SOLUTION

    Nothing yet.