COMMAND

    man.sh

SYSTEMS AFFECTED

    Systems running these CGI

PROBLEM

    Robert Moniot  found followung.   The May  1998 issue  of SysAdmin
    Magazine  contains  an  article,  "Web-Enabled  Man  Pages", which
    includes source code for very nice cgi script named man.sh to feed
    man pages  to a  web browser.   The hypertext  links to  other man
    pages are an especially attractive feature.

    Unfortunately, this script is vulnerable to attack.   Essentially,
    anyone who can execute the cgi thru their web browser can run  any
    system commands with the user id of the web server and obtain  the
    output from them in a web page.

SOLUTION

    Author has been  notified and has  undertaken to replace  the code
    posted on the www.samag.com website with corrected code.