COMMAND

    httpd (view-source CGI)

SYSTEMS AFFECTED

    Systems running this CGI

PROBLEM

    PLaGuEZ found a pretty ugly hole in view-source cgi-shell script.

    This script, which can be  found  on some httpd  distributions and
    in SCO Skunkware cdroms, is  designed to display a given  document
    located  in   $DOCUMENT_ROOT/$1  (where   $DOCUMENT_ROOT  is    an
    environment variable set by the server).

    Unhopefully view-source does not properly check the arguments.

    It is  therefore possible  to display  any file  on systems  where
    view-source is world executable by sending something like

        'http://www.server.com/cgi-bin/view-source?../../../../../../../etc/passwd'

SOLUTION

    Well, at this point you can erase this cgi or nuke whole cgi-bin.